The following access violation was observed in Adobe Reader X and XI for Windows:

(114c.1f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0029cff8 ebx=000007ff ecx=0029cf80 edx=321dc2f9 esi=121dc6d0 edi=000007ff
eip=698091ad esp=0029cf28 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050246
AGM!AGMInitialize+0x2e2b1:
698091ad 0fb612          movzx   edx,byte ptr [edx]         ds:0023:321dc2f9=??
0:000> u @$scopeip
AGM!AGMInitialize+0x2e2b1:
698091ad 0fb612          movzx   edx,byte ptr [edx]
698091b0 885001          mov     byte ptr [eax+1],dl
698091b3 8b11            mov     edx,dword ptr [ecx]
698091b5 0fb65201        movzx   edx,byte ptr [edx+1]
698091b9 40              inc     eax
698091ba 40              inc     eax
698091bb 8810            mov     byte ptr [eax],dl
698091bd 8b09            mov     ecx,dword ptr [ecx]
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 AGM!AGMInitialize+0x2e2b1

Notes:

- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for Windows, on Windows 7, with Application Verifier enabled.

- The “EDX” register being read from points into an unmapped portion of the address space.

- The “EAX” register being written to points to a stack location.

- The crashing function is fairly short: it copies three bytes from one buffer to another, and sets the fourth one in the destination buffer to 0x00.

- Attached samples: signal_sigsegv_f77edbae_2787_2872.pdf (crashing file), 2872.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

 

2872.pdf 392 KB Download

signal_sigsegv_f77edbae_2787_2872.pdf 392 KB Download