Adobe Acrobat Reader DC for Windows Heap-Based Memory Corruption

Credit: Google
Risk: High
Local: No
Remote: Yes

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (4c84.1e3c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=13842768 ebx=14b6d730 ecx=1383e108 edx=13832820 esi=13832850 edi=14b6d92c eip=1062a82e esp=1383def0 ebp=1383def8 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 CoolType!CTInit+0x37aa7: 1062a82e 8902 mov dword ptr [edx],eax ds:002b:13832820=???????? 0:022> u @eip-14 CoolType!CTInit+0x37a93: 1062a81a 8b7d0c mov edi,dword ptr [ebp+0Ch] 1062a81d 8b571c mov edx,dword ptr [edi+1Ch] 1062a820 8b7720 mov esi,dword ptr [edi+20h] 1062a823 035508 add edx,dword ptr [ebp+8] 1062a826 8b4724 mov eax,dword ptr [edi+24h] 1062a829 037508 add esi,dword ptr [ebp+8] 1062a82c 03c6 add eax,esi 1062a82e 8902 mov dword ptr [edx],eax 0:022> ? poi(edi+1c) Evaluate expression: -56136 = ffff24b8 0:022> ? poi(ebp+8) Evaluate expression: 327418728 = 13840368 0:022> !heap -p -a 13840368 address 13840368 found in _DPH_HEAP_ROOT @ bd61000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) bd639c0: 13840368 190c94 - 13840000 192000 unknown!fillpattern 66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240 77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c 7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6 7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7 7725ccee ntdll!RtlAllocateHeap+0x0000003e 66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f 74a2f1f6 ucrtbase!_malloc_base+0x00000026 0e96fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9 105f74d4 CoolType!CTInit+0x0000474d 105f8888 CoolType!CTInit+0x00005b01 106270cf CoolType!CTInit+0x00034348 10626c61 CoolType!CTInit+0x00033eda 106265a2 CoolType!CTInit+0x0003381b 10623c6f CoolType!CTInit+0x00030ee8 10621d55 CoolType!CTInit+0x0002efce 106210e9 CoolType!CTInit+0x0002e362 1062096c CoolType!CTInit+0x0002dbe5 10620893 CoolType!CTInit+0x0002db0c 645138e1 AGM!AGMInitialize+0x0002aab1 0:022> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 1383def8 1062a372 13840368 14b6d92c 13840368 CoolType!CTInit+0x37aa7 01 1383df6c 1062a296 1383e104 1383e034 00000001 CoolType!CTInit+0x375eb 02 1383df84 1062a277 1383e104 1383e034 16977160 CoolType!CTInit+0x3750f 03 1383df98 10629d00 1383e104 1383e034 16977160 CoolType!CTInit+0x374f0 04 1383dfb8 10629a71 1383e328 16977160 00000000 CoolType!CTInit+0x36f79 05 1383e158 10628ea7 16977160 108a00a0 1383e328 CoolType!CTInit+0x36cea 06 1383e3b4 10623e89 1383e6a8 1383e430 00000000 CoolType!CTInit+0x36120 07 1383e6d0 10621d55 00000001 00000000 00000000 CoolType!CTInit+0x31102 08 1383e7a0 106210e9 16d43ec0 00000009 1383e834 CoolType!CTInit+0x2efce 09 1383efb8 1062096c 188f40ec 1383efd0 188f40c8 CoolType!CTInit+0x2e362 0a 1383f038 10620893 188f40ec 188f40d4 393d9f99 CoolType!CTInit+0x2dbe5 0b 1383f070 645138e1 14c73e6c 188f40ec 10882280 CoolType!CTInit+0x2db0c 0c 1383f084 644ffb1e 188f40d4 644ffab0 1737c5f0 AGM!AGMInitialize+0x2aab1 0d 1383f098 644fe8e7 1737c5fc 649a09f8 00000001 AGM!AGMInitialize+0x16cee 0e 1383f0d0 6451041c 30146add 13db5c78 00000000 AGM!AGMInitialize+0x15ab7 0f 1383f17c 772fcd28 0ad60000 1383f1b0 66d6922c AGM!AGMInitialize+0x275ec 10 1383f190 00000000 66d69238 772fcd10 0ad64d80 ntdll!RtlReleaseStackTrace+0x18 --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though). - The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-56136 in the above case). - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to three bytes at offsets 0x2bd4c, 0x2bd4d and 0x2d5b8 (0x00 => 0xff in all cases). These bytes reside inside of a TrueType font stream. Proof of Concept:

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020,


Back to Top