The following access violation was observed in Adobe Reader X for Windows:
(1354.17ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0bf736f0 ebx=00000004 ecx=0bf82000 edx=00000013 esi=0bf73684 edi=00003a44
eip=6a4ee64b esp=002cc130 ebp=002cc1a8 iopl=0 ov up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010a87
CoolType!CTGetVersion+0x177cb:
6a4ee64b 8b01 mov eax,dword ptr [ecx] ds:0023:0bf82000=????????
0:000> u
CoolType!CTGetVersion+0x177cb:
6a4ee64b 8b01 mov eax,dword ptr [ecx]
6a4ee64d 03c3 add eax,ebx
6a4ee64f 8bd0 mov edx,eax
6a4ee651 c1fa18 sar edx,18h
6a4ee654 8811 mov byte ptr [ecx],dl
6a4ee656 41 inc ecx
6a4ee657 8bd0 mov edx,eax
6a4ee659 c1fa10 sar edx,10h
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
002cc1a8 0bf73684 CoolType!CTGetVersion+0x177cb
002cc238 6a4ed2c1 0xbf73684
002cc264 6a4ef942 CoolType!CTGetVersion+0x16441
002cc28c 6a4cfe8d CoolType!CTGetVersion+0x18ac2
002cc2bc 6a4e9f6c CoolType!CTInit+0x4bb7f
002cc474 6a45cc11 CoolType!CTGetVersion+0x130ec
002cc47c 71484673 CoolType+0x2cc11
Notes:
- Reproduces on Adobe Reader X (10.1.12) for Windows, on Windows 7, with Application Verifier enabled. We are unable to reproduce on Adobe Reader XI (11.0.09) in the same configuration.
- The crash occurs after navigating to the 3rd page of the POC document.
- The “ECX” register points into the end of a heap region of size 0x10000.
- Based on the type of memory reference following the crashing instruction, we can assume this is a heap-based buffer overflow.
- Attached samples: signal_sigsegv_f742dfef_7517_6052.pdf (crashing file), 6052.pdf (original file).
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
|
signal_sigsegv_f742dfef_7517_6052.zip
2.0 MB
Download
|