New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Owner:
Closed: Dec 2014
Cc:



Sign in to add a comment
Adobe Reader X for Windows out-of-bounds read in AGM.dll
Project Member Reported by mjurczyk@google.com, Oct 30 2014 Back to list
The following access violation was observed in Adobe Reader X for Windows:

(1320.12c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=433f3f80 ebx=0b836534 ecx=00000001 edx=00000102 esi=0b836124 edi=0028e12c
eip=6962cd2d esp=0028d87c ebp=0c29a7bc iopl=0         ov up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010a83
AGM!AGMTerminate+0x15adb7:
6962cd2d 8b448500        mov     eax,dword ptr [ebp+eax*4] ss:0023:1926a5bc=????????
0:000> !heap -p -a ebp
    address 0c29a7bc found in
    _DPH_HEAP_ROOT @ 5361000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 bbb0514:          c28e1d8             fe28 -          c28e000            11000
    6bdd8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77085ede ntdll!RtlDebugAllocateHeap+0x00000030
    7704a40a ntdll!RtlpAllocateHeap+0x000000c4
    77015ae0 ntdll!RtlAllocateHeap+0x0000023a
    7310a792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    71473db8 MSVCR90!malloc+0x00000079
    67101e92 AcroRd32_670e0000!AVAcroALM_Destroy+0x000137c4
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0028d914 6962c006 AGM!AGMTerminate+0x15adb7
0028d91c 6962c02a AGM!AGMTerminate+0x15a090
0028d93c 694a1f7b AGM!AGMTerminate+0x15a0b4
0028d94c 714346fc AGM!AGMInitialize+0x37400

Notes:

- Reproduces on Adobe Reader X (10.1.12) for Windows, on Windows 7, with Application Verifier enabled. We are unable to reproduce on Adobe Reader XI (11.0.09) in the same configuration.

- The surrounding code operates heavily on floats.

- The direct reason of the crash is an unbounded index number used to address a heap allocation pointed to by “EBP”, which is derived from a float number in the same loop the SIGSEGV occurs in. The retrieved value is copied into an output array allocated from heap, pointed to by “ESI”.

- Attached samples: signal_sigsegv_f795e4d1_5174_4477.pdf (crashing file), 4477.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
 
signal_sigsegv_f795e4d1_5174_4477.pdf
737 KB Download
4477.pdf
735 KB Download
Project Member Comment 1 by mjurczyk@google.com, Oct 30 2014
Owner: mjurczyk@google.com
Project Member Comment 2 by mjurczyk@google.com, Oct 31 2014
Labels: Id-3111
Project Member Comment 3 by mjurczyk@google.com, Dec 10 2014
Labels: -Restrict-View-Commit CVE-2014-8459 Fixed-2014-Dec-9
Status: Fixed
http://helpx.adobe.com/security/products/reader/apsb14-28.html
Project Member Comment 4 by scvitti@google.com, Jan 13 2015
Labels: -Reported-2014-Oct-2014 Reported-2014-Oct-30
Sign in to add a comment