147 - Adobe Reader X for Windows out-of-bounds read in CoolType.dll - project-zero

Starred by 2 users

Status:	Fixed
Owner:	mjurczyk@google.com
Closed:	Dec 2014
Cc:	project-...@google.com
Reported-2014-Oct-30 Severity-Medium Deadline-90 Product-Reader CVE-2014-8458 Id-3118 Fixed-2014-Dec-9 CCProjectZeroMembers Vendor-Adobe Finder-mjurczyk

Adobe Reader X for Windows out-of-bounds read in CoolType.dll

Project Member Reported by mjurczyk@google.com, Oct 30 2014

Back to list

The following access violation was observed in Adobe Reader X for Windows:

(11e8.1618): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=12822dfc ebx=12824000 ecx=00000018 edx=00000000 esi=12822dec edi=00000008
eip=6a262b9d esp=0013da60 ebp=0013da98 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050202
CoolType!CTInit+0x27279:
6a262b9d 8a1b            mov     bl,byte ptr [ebx]          ds:0023:12824000=??
0:000> !heap -p -a ebx
    address 12824000 found in
    _DPH_HEAP_ROOT @ 4cc1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                127a08bc:         128141d8             fe28 -         12814000            11000
    6b508e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    76fb5ede ntdll!RtlDebugAllocateHeap+0x00000030
    76f7a40a ntdll!RtlpAllocateHeap+0x000000c4
    76f45ae0 ntdll!RtlAllocateHeap+0x0000023a
    72e6a792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    71393db8 MSVCR90!malloc+0x00000079
    64d6deb2 AcroRd32_64ca0000!AX_ASRamFileSysSetLimitKB+0x000a4e0a
    6a1d1350 CoolType+0x00001350
    6a1f4f75 CoolType+0x00024f75
    6a1f7c4c CoolType+0x00027c4c
    6a1fe900 CoolType+0x0002e900
    6a1fea4c CoolType+0x0002ea4c
    6a22131e CoolType+0x0005131e
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0013da98 6a25f0a8 CoolType!CTInit+0x27279
0013db54 6a25f9b2 CoolType!CTInit+0x23784
0013dbc8 6a1dabe7 CoolType!CTInit+0x2408e
0013dc1c 6a1f45fe CoolType+0xabe7
0013dd6c 6a1f9776 CoolType+0x245fe
00000000 00000000 CoolType+0x29776

Notes:

- Reproduces on Adobe Reader X (10.1.12) for Windows, on Windows 7, with Application Verifier enabled. We are unable to reproduce on Adobe Reader XI (11.0.09) in the same configuration.

- The crash occurs when the user opens the “Thumbnails” dialog on the left of the main window.

- The “EBX” register points at the end boundary of a heap allocation.

- Attached samples: signal_sigsegv_f7314fa8_5370_4609.pdf (crashing file), 4609.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

4609.pdf
377 KB Download

signal_sigsegv_f7314fa8_5370_4609.pdf
377 KB Download

Project Member Comment 1 by mjurczyk@google.com, Oct 30 2014

Owner: mjurczyk@google.com

Project Member Comment 2 by mjurczyk@google.com, Oct 31 2014

Labels: Id-3118

Project Member Comment 3 by mjurczyk@google.com, Dec 10 2014

Labels: -Restrict-View-Commit CVE-2014-8458 Fixed-2014-Dec-9
Status: Fixed

http://helpx.adobe.com/security/products/reader/apsb14-28.html

► Sign in to add a comment