When parsing a specially crafted PDF document, a value derived from a file is used as a memory pointer leading to a process crash.
When parsing a PDF file with an object containing a stream, missing object type specification can lead to arbitrary pointer access. In the supplied testcase, a /Type value is missing (originaly /XRef) and trailing bytes are interpreted as type. An ASCII integer value is converted into 32bit integer which is subsequently used as a pointer in a comparison operation. In case the pointer is invalid, process crash occurs.
Technical information below:
An ASCII integer value appearing after /Type element in the supplied PDF file is converted into
32 bit integer (in this case 0x41414141) which ends up being used as a source operand, in
in the comparison instruction against ‘XRef’ value pointed at by
` .text:B74E9B72 mov esi, [eax] .text:B74E9B74 mov ecx, 5 .text:B74E9B79 cld .text:B74E9B7A lea edi, (aXref - 0B74F6998h)[ebx] ; "XRef" .text:B74E9B80 repe cmpsb `
Although the value in
esi is fully controlled, it is promptly discarded after the comparison
making this issue unexploitable by itself.
2016-04-12 - Vendor Notification
2016-07-19 – Public Disclosure
Discovered by Aleksandar Nikolic of Cisco Talos.