The Type1/CFF CharString interpreter code in the Adobe Reader CoolType.dll font library does not check if the input stream pointer has not gone beyond the end of the source buffer, which stores the state machine instructions.

The unbounded reads can happen:

1) At the beginning of the VM execution loop (reading main opcode).
2) While reading the second opcode byte in case of the 'escape' instruction.
3) While reading the 'extendedmbr' instruction parameter, or the 16/32-bit numeric value to be pushed onto the interpreter stack.

This may result in the following outcomes:

1) The parser reads garbage, uninitialized or left-over data and interprets them as CharString instructions.
2) The parser reaches the end of a mapped memory page and attempts to read bytes beyond it, consequently resulting in a crash of the sandboxed AcroRd32.exe process.

Neither scenario is a serious security threat (contrary to an equivalent bug filed on Windows Kernel ATMFD.DLL, which can lead to global system crash or information disclosure), so this bug is filed just as a general note on the code quality of the CharString interpreter in CoolType. Adobe Reader 11.0.10 is confirmed to be affected, but we expect all prior versions of the software to be prone to the bug, too.

Due to minimal severity of the issue, we have not developed a proof of concept.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.