The following access violation was observed in Adobe Reader X and XI for Windows:

(d4c.4c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0699b912 ebx=00000000 ecx=0699b912 edx=000000ff esi=10d9b913 edi=0699b902
eip=693136d1 esp=1133d918 ebp=1133d988 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010287
CoolType+0x536d1:
693136d1 660fb64708      movzx   ax,byte ptr [edi+8]        ds:0023:0699b90a=??
0:014> !address edi+8

Usage:                  PageHeap
Base Address:           0699b000
End Address:            0699c000
Region Size:            00001000
State:                  00002000	MEM_RESERVE
Protect:                <info not present at the target>
Type:                   00020000	MEM_PRIVATE
Allocation Base:        06950000
Allocation Protect:     00000001	PAGE_NOACCESS
More info:              !heap -p 0x5251000
More info:              !heap -p -a 0x699b90a
0:014> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
1133d988 00000000 CoolType+0x536d1

Notes:

- Reproduces on Adobe Reader X (10.1.12) and Adobe Reader XI (11.0.09) for Windows, on Windows 7, with Application Verifier enabled.

- The “EDI” register points into a reserved PageHeap memory page following a regular heap allocation. This implies this is an out-of-bounds memory access relative to a heap-based buffer.

- Sometimes several attempts are required to reproduce the case.

- Attached samples: signal_sigsegv_f74f5598_9029_707.pdf (crashing file), 707.pdf (original file).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.


 

signal_sigsegv_f74f5598_9029_707.zip 1.6 MB Download