The following access violation was observed in Adobe Reader X and XI for Windows:
(3ac.172c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=17625000 ebx=17624ff9 ecx=00000000 edx=c0c0c0d0 esi=00000000 edi=177adf99
eip=658326d2 esp=0051c798 ebp=17624ff1 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
AcroRd32_64fe0000!CTJPEGDecoderCreateUsingData+0xa69f2:
658326d2 0fb608 movzx ecx,byte ptr [eax] ds:0023:17625000=??
0:000> !heap -p -a eax
address 17625000 found in
_DPH_HEAP_ROOT @ 5591000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
17610c30: 17624ee0 11f - 17624000 2000
73128e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77085ede ntdll!RtlDebugAllocateHeap+0x00000030
7704a40a ntdll!RtlpAllocateHeap+0x000000c4
77015ae0 ntdll!RtlAllocateHeap+0x0000023a
730fa792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
71473db8 MSVCR90!malloc+0x00000079
65001e92 AcroRd32_64fe0000!AVAcroALM_Destroy+0x000137c4
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0051c80c 6582975e AcroRd32_64fe0000!CTJPEGDecoderCreateUsingData+0xa69f2
0051c810 0051c844 AcroRd32_64fe0000!CTJPEGDecoderCreateUsingData+0x9da7e
Notes:
- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for Windows, on Windows 7, with Application Verifier enabled.
- The crash occurs after navigating to the ~27th page of the POC document.
- The “EAX” register points at the end boundary of a small allocated heap region.
- Attached samples: signal_sigsegv_f71fa75b_2469_2658.pdf (crashing file), 2658.pdf (original file).
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
|
signal_sigsegv_f71fa75b_2469_2658.pdf
1.8 MB
Download
|