CVE-2024-20748
An out-of-bounds read vulnerability exists in the font file processing functionality of Adobe Acrobat Reader 2023.006.20380. A specially crafted font file embedded into a PDF can trigger this vulnerability, which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Adobe Acrobat Reader 2023.006.20380
Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html
6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-125 - Out-of-bounds Read
Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs.
Adobe acrobat supports parsing of embedded font files in the PDF. This vulnerability is related to OpenType font format. An OpenType font file starts with a table directory (TableDirectory ) followed by one or more table record (TableRecord) entries. The structure of TableDirectory is as follows:
Offset Size Name
------ ----- --------------------------------------
0x00 0x04 sfntVersion (0x00010000 or 0x4F54544F )
0x04 0x02 numTables
0x06 0x02 searchRange
0x08 0x02 entrySelector
0x0c 0x02 rangeShift
If the value of the sfntVersion field is 0x00010000, the font contains TrueType data. The CFF data will be present if the value of sfntVersion is 0x4F54544F (‘OTTO). The numTables field specifies the number of TableRecord entries present in the font file. The structure of a TableRecord entry is as follows:
Offset Size Name
------ ----- ----------------------------------
0x00 0x04 tableTag
0x04 0x04 tableChecksum
0x08 0x04 tableOffset
0x0C 0x04 tableLength
tableTag is the name of TableRecord. The tableOffset field specifies the offset of the table from the beginning of the file. The tableLength indicates the length of the table. The structure of each TableRecord depends on the type table, which is defined by the tableTag. This vulnerability occurs when the the value of the tableTag field is the string avar, which indicates the table type is an Axis Variations (avar) table.
avar is an optional table related to variable fonts. It contains information that influences the interpolation of font variations data across axes. An avar table starts with a header, followed by SegmentMaps records. The structure of the avar table header is as follows:
Offset Size Name
------ ----- --------------------------------------
0x00 0x02 majorVersion
0x02 0x02 minorVersion
0x04 0x02 Reserved
0x06 0x02 axisCount
The total size of the avar table header is 0x08. In the avar table, the value of the majorVersion field must be 1 and the value of minorVersion must be 0. The axisCount field indicates the number of variation axes for this font.
The number SegmentMaps records present in the avar table is equal to axisCount. The structure of a SegmentMaps record is as follows:
Offset Size Name
------ ----- --------------------------------------
0x00 0x02 positionMapCount
0x02 positionMapCount * 4 axisValueMaps
The positionMapCount defines the number of correspondence pairs for this axis. axisValueMaps contains axis value maps. A coordinate is made of 2 bytes. An axis value map contains 2 coordinates, so the total size of axisValueMaps is positionMapCount * 4 bytes.
This vulnerability occurs when tableLength is less than (0x08 + ( 0x02 * axisCount ) + ( positionMapCount_1 * 4 + positionMapCount_2 * 4 + ... + positionMapCount_n * 4)). Here, n is equal to axisCount. positionMapCount_1 indicates the positionMapCount of the first SegmentMaps. We can observe the following in the debugger (with PageHeap enabled):
0:000> p
eax=050fd8f4 ebx=00000000 ecx=050fd8e8 edx=00000000 esi=922aebd8 edi=922aebd8
eip=6c7a6adc esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x666cc:
6c7a6adc 895dc4 mov dword ptr [ebp-3Ch],ebx ss:002b:050fd8e8=6c9d09e4
0:000> p
eax=050fd8f4 ebx=00000000 ecx=050fd8e8 edx=00000000 esi=922aebd8 edi=922aebd8
eip=6c7a6adf esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x666cf:
6c7a6adf 895dc8 mov dword ptr [ebp-38h],ebx ss:002b:050fd8ec=a2dccfb0
0:000> p
eax=050fd8f4 ebx=00000000 ecx=050fd8e8 edx=00000000 esi=922aebd8 edi=922aebd8
eip=6c7a6ae2 esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x666d2:
6c7a6ae2 885dcc mov byte ptr [ebp-34h],bl ss:002b:050fd8f0=f0
0:000> p
eax=050fd8f4 ebx=00000000 ecx=050fd8e8 edx=00000000 esi=922aebd8 edi=922aebd8
eip=6c7a6ae5 esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x666d5:
6c7a6ae5 e8fe43f2ff call CoolType!CTInit+0x17888 (6c6caee8)
0:000> p
eax=a22a6fd0 ebx=00000000 ecx=6c6c6501 edx=0040df34 esi=922aebd8 edi=922aebd8
eip=6c7a6aea esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x666da:
6c7a6aea 8b45c8 mov eax,dword ptr [ebp-38h] ss:002b:050fd8ec=00000030
0:000> p
eax=00000030 ebx=00000000 ecx=6c6c6501 edx=0040df34 esi=922aebd8 edi=922aebd8
eip=6c7a6aed esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x666dd:
6c7a6aed 8945e0 mov dword ptr [ebp-20h],eax ss:002b:050fd904=922aebd8; <------------------------------------(1)
0:000> p
eax=00000030 ebx=00000000 ecx=6c6c6501 edx=0040df34 esi=922aebd8 edi=922aebd8
eip=6c7a6af0 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x666e0:
6c7a6af0 83f810 cmp eax,10h
0:000> p
eax=00000030 ebx=00000000 ecx=6c6c6501 edx=0040df34 esi=922aebd8 edi=922aebd8
eip=6c7a6af3 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x666e3:
6c7a6af3 0f824e010000 jb CoolType!CTCleanup+0x66837 (6c7a6c47) [br=0]
0:000> p
eax=00000030 ebx=00000000 ecx=6c6c6501 edx=0040df34 esi=922aebd8 edi=922aebd8
eip=6c7a6af9 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x666e9:
6c7a6af9 8b75c4 mov esi,dword ptr [ebp-3Ch] ss:002b:050fd8e8=a22a6fd0
0:000> p
eax=00000030 ebx=00000000 ecx=6c6c6501 edx=0040df34 esi=a22a6fd0 edi=922aebd8
eip=6c7a6afc esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x666ec:
6c7a6afc 8d45f0 lea eax,[ebp-10h]
0:000> p
eax=050fd914 ebx=00000000 ecx=6c6c6501 edx=0040df34 esi=a22a6fd0 edi=922aebd8
eip=6c7a6aff esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x666ef:
6c7a6aff 6a04 push 4
0:000> p
eax=050fd914 ebx=00000000 ecx=6c6c6501 edx=0040df34 esi=a22a6fd0 edi=922aebd8
eip=6c7a6b01 esp=050fd8d4 ebp=050fd924 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x666f1:
6c7a6b01 50 push eax
0:000> p
eax=050fd914 ebx=00000000 ecx=6c6c6501 edx=0040df34 esi=a22a6fd0 edi=922aebd8
eip=6c7a6b02 esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x666f2:
6c7a6b02 8975f0 mov dword ptr [ebp-10h],esi ss:002b:050fd914=00000000
0:000> p
eax=050fd914 ebx=00000000 ecx=6c6c6501 edx=0040df34 esi=a22a6fd0 edi=922aebd8
eip=6c7a6b05 esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x666f5:
6c7a6b05 e8b3420000 call CoolType!CTCleanup+0x6a9ad (6c7aadbd) ; <------------------------------ (2)
0:000> dd eax
050fd914 a22a6fd0 050fd954 6c8e4ec3 00000001
050fd924 050fd960 6c7a758d 6306ec2e 9cd20fe4
050fd934 922aebd8 9cd20f00 93a5ef90 0000006c
050fd944 6c6b4301 32018ca8 32018fd8 6c9df8e0
050fd954 050fd998 6c8e505e 00000002 050fd9a4
050fd964 6c6d91e0 050fda7c 6c6e6c96 6306ecea
050fd974 00000000 9cd20f00 00000001 00000000
050fd984 00000000 00000000 9cd20f08 00000000
0:000> db a22a6fd0 ; <---------------------------------- (3)
a22a6fd0 00 01 00 00 00 00 00 01-00 0a c0 00 c0 00 00 00 ................
a22a6fe0 00 00 08 00 03 10 10 00-08 e8 18 00 11 cf 20 00 .............. .
a22a6ff0 1a b7 28 00 1e 9c 30 00-27 83 38 00 34 df 40 00 ..(...0.'.8.4.@.
a22a7000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
a22a7010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
a22a7020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
a22a7030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
a22a7040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:000> p
eax=00010000 ebx=00000000 ecx=a22a6fd4 edx=a22a6fd3 esi=a22a6fd0 edi=922aebd8
eip=6c7a6b0a esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x666fa:
6c7a6b0a 59 pop ecx
At (1), the register eax contains the value of tableLength for an avar table. In this case, the value of tableLength is 0x30. The method called at (2) reads the avar table in bytes indicated by the second argument of the method. The content of the avar table can be observed at (3).
0:000> p
eax=050fd914 ebx=00000000 ecx=a22a6fd6 edx=a22a6fd5 esi=a22a6fd0 edi=922aebd8
eip=6c7a6b25 esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x66715:
6c7a6b25 6a02 push 2
0:000> p
eax=050fd914 ebx=00000000 ecx=a22a6fd6 edx=a22a6fd5 esi=a22a6fd0 edi=922aebd8
eip=6c7a6b27 esp=050fd8cc ebp=050fd924 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x66717:
6c7a6b27 50 push eax
0:000> p
eax=050fd914 ebx=00000000 ecx=a22a6fd6 edx=a22a6fd5 esi=a22a6fd0 edi=922aebd8
eip=6c7a6b28 esp=050fd8c8 ebp=050fd924 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x66718:
6c7a6b28 e890420000 call CoolType!CTCleanup+0x6a9ad (6c7aadbd) <---------------------------- (4)
0:000> p
eax=00000001 ebx=00000000 ecx=a22a6fd8 edx=a22a6fd7 esi=a22a6fd0 edi=922aebd8
eip=6c7a6b2d esp=050fd8c8 ebp=050fd924 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x6671d:
6c7a6b2d 0fb7c8 movzx ecx,ax ; <---------------------------- (5)
The method called at (4) reads axisCount. The value of axisCount can be observed at (5), present in the eax register. In this case, the value of axisCount is 1, so the avar table contains only one SegmentMaps record. A loop runs axisCount times and reads the SegmentMaps record.
eax=00000000 ebx=a5a8cff8 ecx=92f4cfe8 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6c03 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x667f3:
6c7a6c03 8975e8 mov dword ptr [ebp-18h],esi ss:002b:050fd90c=a2dccfb0 ;<-------------------- (6)
0:000> p
eax=00000000 ebx=a5a8cff8 ecx=92f4cfe8 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6c06 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x667f6:
6c7a6c06 0f8266ffffff jb CoolType!CTCleanup+0x66762 (6c7a6b72) [br=1]
0:000> p
eax=00000000 ebx=a5a8cff8 ecx=92f4cfe8 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6b72 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x66762:
6c7a6b72 8d45f0 lea eax,[ebp-10h]
0:000> p
eax=050fd914 ebx=a5a8cff8 ecx=92f4cfe8 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6b75 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x66765:
6c7a6b75 6a02 push 2
0:000> p
eax=050fd914 ebx=a5a8cff8 ecx=92f4cfe8 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6b77 esp=050fd8d4 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x66767:
6c7a6b77 50 push eax
0:000> p
eax=050fd914 ebx=a5a8cff8 ecx=92f4cfe8 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6b78 esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x66768:
6c7a6b78 e840420000 call CoolType!CTCleanup+0x6a9ad (6c7aadbd) ;<----------------------- (7)
0:000> p
eax=0000000a ebx=a5a8cff8 ecx=a22a6fda edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b7d esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x6676d:
6c7a6b7d 0fb7c0 movzx eax,ax ;<----------------------- (8)
0:000> p
eax=0000000a ebx=a5a8cff8 ecx=a22a6fda edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b80 esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x66770:
6c7a6b80 59 pop ecx
0:000> p
eax=0000000a ebx=a5a8cff8 ecx=050fd914 edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b81 esp=050fd8d4 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x66771:
6c7a6b81 59 pop ecx
0:000> p
eax=0000000a ebx=a5a8cff8 ecx=00000002 edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b82 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x66772:
6c7a6b82 668903 mov word ptr [ebx],ax ds:002b:a5a8cff8=c0c0
0:000> p
eax=0000000a ebx=a5a8cff8 ecx=00000002 edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b85 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x66775:
6c7a6b85 8bc8 mov ecx,eax
0:000> p
eax=0000000a ebx=a5a8cff8 ecx=0000000a edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b87 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x66777:
6c7a6b87 8b45ec mov eax,dword ptr [ebp-14h] ss:002b:050fd910=00000000
0:000> p
eax=00000000 ebx=a5a8cff8 ecx=0000000a edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b8a esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x6677a:
6c7a6b8a 8d0488 lea eax,[eax+ecx*4] <------------------------- (9)
0:000> p
eax=00000028 ebx=a5a8cff8 ecx=0000000a edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b8d esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x6677d:
6c7a6b8d 8945ec mov dword ptr [ebp-14h],eax ss:002b:050fd910=00000000
0:000> p
eax=00000028 ebx=a5a8cff8 ecx=0000000a edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b90 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x66780:
6c7a6b90 3945e0 cmp dword ptr [ebp-20h],eax ss:002b:050fd904=00000030 ;<------------------------- (10)
0:000> p
eax=00000028 ebx=a5a8cff8 ecx=0000000a edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b93 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
CoolType!CTCleanup+0x66783:
6c7a6b93 0f8284000000 jb CoolType!CTCleanup+0x6680d (6c7a6c1d) [br=0]
0:000> p
eax=00000028 ebx=a5a8cff8 ecx=0000000a edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b99 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
CoolType!CTCleanup+0x66789:
6c7a6b99 8bc1 mov eax,ecx
0:000> p
eax=0000000a ebx=a5a8cff8 ecx=0000000a edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b9b esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
CoolType!CTCleanup+0x6678b:
6c7a6b9b c1e003 shl eax,3 ; <------------------------- (11)
0:000> p
eax=00000050 ebx=a5a8cff8 ecx=0000000a edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b9e esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x6678e:
6c7a6b9e 50 push eax
0:000> p
eax=00000050 ebx=a5a8cff8 ecx=0000000a edx=a22a6fd9 esi=00000000 edi=922aebd8
eip=6c7a6b9f esp=050fd8d4 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x6678f:
6c7a6b9f e816f0f0ff call CoolType!CTInit+0x255a (6c6b5bba) ; <------------------------- (12)
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=6c6b5be2 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6ba4 esp=050fd8d4 ebp=050fd924 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
CoolType!CTCleanup+0x66794:
6c7a6ba4 894304 mov dword ptr [ebx+4],eax ds:002b:a5a8cffc=c0c0c0c0
0:000> dd eax
a6098fb0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
a6098fc0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
a6098fd0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
a6098fe0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
a6098ff0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
a6099000 ???????? ???????? ???????? ????????
a6099010 ???????? ???????? ???????? ????????
a6099020 ???????? ???????? ???????? ????????
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=6c6b5be2 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6ba7 esp=050fd8d4 ebp=050fd924 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
CoolType!CTCleanup+0x66797:
6c7a6ba7 59 pop ecx
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6ba8 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
CoolType!CTCleanup+0x66798:
6c7a6ba8 85c0 test eax,eax
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6baa esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
CoolType!CTCleanup+0x6679a:
6c7a6baa 7471 je CoolType!CTCleanup+0x6680d (6c7a6c1d) [br=0]
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6bac esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
CoolType!CTCleanup+0x6679c:
6c7a6bac 8365dc00 and dword ptr [ebp-24h],0 ss:002b:050fd900=6c9df8e0
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6bb0 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x667a0:
6c7a6bb0 33c0 xor eax,eax
0:000> p
eax=00000000 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6bb2 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x667a2:
6c7a6bb2 663b03 cmp ax,word ptr [ebx] ds:002b:a5a8cff8=000a
0:000> p
eax=00000000 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6bb5 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x667a5:
6c7a6bb5 7344 jae CoolType!CTCleanup+0x667eb (6c7a6bfb) [br=0]
0:000> p
eax=00000000 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=922aebd8
eip=6c7a6bb7 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x667a7:
6c7a6bb7 8b7ddc mov edi,dword ptr [ebp-24h] ss:002b:050fd900=00000000
0:000> p <----------------------- (13)
eax=00000000 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=00000000
eip=6c7a6bba esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x667aa:
6c7a6bba 8d45f0 lea eax,[ebp-10h]
0:000> p
eax=050fd914 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=00000000
eip=6c7a6bbd esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x667ad:
6c7a6bbd 0fb7f7 movzx esi,di
0:000> p
eax=050fd914 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=00000000
eip=6c7a6bc0 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x667b0:
6c7a6bc0 6a02 push 2
0:000> p
eax=050fd914 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=00000000
eip=6c7a6bc2 esp=050fd8d4 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x667b2:
6c7a6bc2 50 push eax
0:000> p
eax=050fd914 ebx=a5a8cff8 ecx=00000050 edx=00000000 esi=00000000 edi=00000000
eip=6c7a6bc3 esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x667b3:
6c7a6bc3 e8f5410000 call CoolType!CTCleanup+0x6a9ad (6c7aadbd) ; <------------------------- (14)
0:000> p
eax=0000c000 ebx=a5a8cff8 ecx=a22a6fdc edx=a22a6fdb esi=00000000 edi=00000000
eip=6c7a6bc8 esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x667b8:
6c7a6bc8 0fbfc8 movsx ecx,ax
0:000> p
eax=0000c000 ebx=a5a8cff8 ecx=ffffc000 edx=a22a6fdb esi=00000000 edi=00000000
eip=6c7a6bcb esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x667bb:
6c7a6bcb 8b4304 mov eax,dword ptr [ebx+4] ds:002b:a5a8cffc=a6098fb0
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=ffffc000 edx=a22a6fdb esi=00000000 edi=00000000
eip=6c7a6bce esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x667be:
6c7a6bce c1e102 shl ecx,2
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=ffff0000 edx=a22a6fdb esi=00000000 edi=00000000
eip=6c7a6bd1 esp=050fd8d0 ebp=050fd924 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
CoolType!CTCleanup+0x667c1:
6c7a6bd1 6a02 push 2
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=ffff0000 edx=a22a6fdb esi=00000000 edi=00000000
eip=6c7a6bd3 esp=050fd8cc ebp=050fd924 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
CoolType!CTCleanup+0x667c3:
6c7a6bd3 890cf0 mov dword ptr [eax+esi*8],ecx ds:002b:a6098fb0=c0c0c0c0
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=ffff0000 edx=a22a6fdb esi=00000000 edi=00000000
eip=6c7a6bd6 esp=050fd8cc ebp=050fd924 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
CoolType!CTCleanup+0x667c6:
6c7a6bd6 8d45f0 lea eax,[ebp-10h]
0:000> p
eax=050fd914 ebx=a5a8cff8 ecx=ffff0000 edx=a22a6fdb esi=00000000 edi=00000000
eip=6c7a6bd9 esp=050fd8cc ebp=050fd924 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
CoolType!CTCleanup+0x667c9:
6c7a6bd9 50 push eax
0:000> p
eax=050fd914 ebx=a5a8cff8 ecx=ffff0000 edx=a22a6fdb esi=00000000 edi=00000000
eip=6c7a6bda esp=050fd8c8 ebp=050fd924 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
CoolType!CTCleanup+0x667ca:
6c7a6bda e8de410000 call CoolType!CTCleanup+0x6a9ad (6c7aadbd) ; <------------------------- (15)
0:000> p
eax=0000c000 ebx=a5a8cff8 ecx=a22a6fde edx=a22a6fdd esi=00000000 edi=00000000
eip=6c7a6bdf esp=050fd8c8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x667cf:
6c7a6bdf 0fbfc8 movsx ecx,ax
0:000> p
eax=0000c000 ebx=a5a8cff8 ecx=ffffc000 edx=a22a6fdd esi=00000000 edi=00000000
eip=6c7a6be2 esp=050fd8c8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x667d2:
6c7a6be2 83c410 add esp,10h
0:000> p
eax=0000c000 ebx=a5a8cff8 ecx=ffffc000 edx=a22a6fdd esi=00000000 edi=00000000
eip=6c7a6be5 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x667d5:
6c7a6be5 8b4304 mov eax,dword ptr [ebx+4] ds:002b:a5a8cffc=a6098fb0
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=ffffc000 edx=a22a6fdd esi=00000000 edi=00000000
eip=6c7a6be8 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x667d8:
6c7a6be8 c1e102 shl ecx,2
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=ffff0000 edx=a22a6fdd esi=00000000 edi=00000000
eip=6c7a6beb esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
CoolType!CTCleanup+0x667db:
6c7a6beb 47 inc edi
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=ffff0000 edx=a22a6fdd esi=00000000 edi=00000001
eip=6c7a6bec esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000203
CoolType!CTCleanup+0x667dc:
6c7a6bec 894cf004 mov dword ptr [eax+esi*8+4],ecx ds:002b:a6098fb4=c0c0c0c0
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=ffff0000 edx=a22a6fdd esi=00000000 edi=00000001
eip=6c7a6bf0 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000203
CoolType!CTCleanup+0x667e0:
6c7a6bf0 663b3b cmp di,word ptr [ebx] ds:002b:a5a8cff8=000a
0:000> p
eax=a6098fb0 ebx=a5a8cff8 ecx=ffff0000 edx=a22a6fdd esi=00000000 edi=00000001
eip=6c7a6bf3 esp=050fd8d8 ebp=050fd924 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x667e3:
6c7a6bf3 72c5 jb CoolType!CTCleanup+0x667aa (6c7a6bba) [br=1] <------------------------------ (16)
The loop to read SegmentMaps starts at (6). The method called at (7) reads positionMapCount. In this case, the value of positionMapCount is 0x0A and it can be observed at (8). The loop performs a comparison at (10) to check if the value of positionMapCount is larger than the avar table tableLength. However, the comparison is insufficient because it does not take into account the number of bytes that have already been consumed. At (11), positionMapCount is used to calculate the size of a buffer. The method called (12) allocates an axisValueMaps buffer.
A nested loop starts at (13) and ends at (14). Each iteration of the loop reads the 4-byte of the avar table and writes them to the axisValueMaps buffer. If the vulnerable condition mentioned above is met, then out-of-bounds read occurs while reading the avar table.The number of bytes the avar table should have is calculated using the formula is as follows:
(0x08 + ( 0x02 * axisCount ) + ( positionMapCount_1 * 4 + positionMapCount_2 * 4 + ... + positionMapCount_n * 4))
0x08 + (0x02 * 1) + (0x0A *4) = 0x32
The number of bytes required (0x32 ) is larger than the totalLength (0x30), so a crash occurs if we continue the execution. This can be observed in the debugger:
0:000> g
(248c.112c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=a5a8cff8 ecx=a22a7000 edx=a22a6fff esi=00000000 edi=050fd914
eip=6c7aadfa esp=050fd8b8 ebp=050fd8c0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
CoolType!CTCleanup+0x6a9ea:
6c7aadfa 0fb601 movzx eax,byte ptr [ecx] ds:002b:a22a7000=??
0:000> u
CoolType!CTCleanup+0x6a9ea:
6c7aadfa 0fb601 movzx eax,byte ptr [ecx]
6c7aadfd 0bf0 or esi,eax
6c7aadff 8d4101 lea eax,[ecx+1]
6c7aae02 8907 mov dword ptr [edi],eax
6c7aae04 8b17 mov edx,dword ptr [edi]
6c7aae06 c1e608 shl esi,8
6c7aae09 0fb60a movzx ecx,byte ptr [edx]
6c7aae0c 0bf1 or esi,ecx
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 050fd8c0 6c7a6bdf 050fd914 00000002 050fd914 CoolType!CTCleanup+0x6a9ea
01 050fd924 6c7a758d 6306ec2e 9cd20fe4 922aebd8 CoolType!CTCleanup+0x667cf
02 050fd960 6c6d91e0 050fda7c 6c6e6c96 6306ecea CoolType!CTCleanup+0x6717d
03 050fd9a4 6c6e6a44 050fd9f4 050fe028 a709ef20 CoolType!CTInit+0x25b80
04 050fda08 6c6e688a 922aebd8 050fe028 a709ef20 CoolType!CTInit+0x333e4
05 050fdb40 6d32870b 922aebd8 050fe028 a709ef20 CoolType!CTInit+0x3322a
06 050fdba8 6d328345 050fe024 050fe028 050fe040 AcroRd32!CTJPEGReader::operator=+0x82e6b
07 050fdbf0 6d3258f5 050fe024 050fe028 050fe040 AcroRd32!CTJPEGReader::operator=+0x82aa5
08 050fdef0 6d319803 91002f68 050fe024 6e88f8a8 AcroRd32!CTJPEGReader::operator=+0x80055
09 050fe0c0 6d3192b3 050fe0d4 a0532a98 00000000 AcroRd32!CTJPEGReader::operator=+0x73f63
0a 050fe114 6d31620d 050fe1a4 91002f68 00000000 AcroRd32!CTJPEGReader::operator=+0x73a13
0b 050fe1cc 6d30b944 730ac37d 9c810f78 00000000 AcroRd32!CTJPEGReader::operator=+0x7096d
0c 050fe28c 6d30a760 00000001 00000000 00000000 AcroRd32!CTJPEGReader::operator=+0x660a4
0d 050fe2dc 6d2ff520 9c810f78 00000001 00000000 AcroRd32!CTJPEGReader::operator=+0x64ec0
0e 050fe448 6d2fedf2 9ba60dbc 00000001 93564ef0 AcroRd32!CTJPEGReader::operator=+0x59c80
0f 050fe4b0 6d2fcc9b 730ac4c1 00000000 00000000 AcroRd32!CTJPEGReader::operator=+0x59552
10 050fe530 6d2fc975 93564ef0 a471af40 7e600eb8 AcroRd32!CTJPEGReader::operator=+0x573fb
11 050fe56c 6d2fc89e 93564ef0 a471af40 7e600eb8 AcroRd32!CTJPEGReader::operator=+0x570d5
12 050fe5f4 6d2fb8de 93564ef0 a471af40 050fe820 AcroRd32!CTJPEGReader::operator=+0x56ffe
13 050fe630 6d2fa23c 93564ef0 a471af40 050fe820 AcroRd32!CTJPEGReader::operator=+0x5603e
14 050fe8fc 6d2f92a8 93564ef0 050fe990 050fe9e0 AcroRd32!CTJPEGReader::operator=+0x5499c
15 050fea00 6d2f841f 93564ef0 050feb2c 00000000 AcroRd32!CTJPEGReader::operator=+0x53a08
16 050feb50 6d2f74ba 93564ef0 050feca8 00000000 AcroRd32!CTJPEGReader::operator=+0x52b7f
17 050febb0 6d2f7220 93564ef0 050feca8 00000000 AcroRd32!CTJPEGReader::operator=+0x51c1a
18 050fec34 6d2f5580 93564ef0 050feca8 00000000 AcroRd32!CTJPEGReader::operator=+0x51980
19 050fed0c 6d2f4f54 00000001 00000000 730acc99 AcroRd32!CTJPEGReader::operator=+0x4fce0
1a 050fed68 6d2f4d05 9b066ef0 00000001 730acc3d AcroRd32!CTJPEGReader::operator=+0x4f6b4
1b 050fedcc 6d2f4aaf 050feec0 730acf11 9e68ef88 AcroRd32!CTJPEGReader::operator=+0x4f465
1c 050feee0 6d181897 0000000f 6d1817c0 9e68ef88 AcroRd32!CTJPEGReader::operator=+0x4f20f
1d 050feef8 6d181720 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0x36c77
1e 050fef18 75fb0eab 0013010c 0000000f 00000000 AcroRd32!DllCanUnloadNow+0x36b00
1f 050fef44 75fa7e5a 6d181650 0013010c 0000000f USER32!_InternalCallWinProc+0x2b
20 050ff028 75fa7a5a 6d181650 00000000 0000000f USER32!UserCallWinProcCheckWow+0x33a
21 050ff08c 75fab61f 0ad1b310 00000000 0000000f USER32!DispatchClientMessage+0xea
22 050ff0c8 77a8508d 050ff0e4 00000020 050ff150 USER32!__fnDWORD+0x3f
23 050ff100 7675136c 75fa5b61 050ff1a0 0c612fba ntdll!KiUserCallbackDispatcher+0x4d
24 050ff104 75fa5b61 050ff1a0 0c612fba 1d1adda8 win32u!NtUserDispatchMessage+0xc
25 050ff160 75fa5990 0000000f 050ff184 6d194773 USER32!DispatchMessageWorker+0x1c1
26 050ff16c 6d194773 050ff1a0 1d1adda8 1d1adda8 USER32!DispatchMessageW+0x10
27 050ff184 6d19445e 050ff1a0 730ad009 1d1adda8 AcroRd32!DllCanUnloadNow+0x49b53
28 050ff1f8 6d194289 730ad3c1 1d1adda8 00000000 AcroRd32!DllCanUnloadNow+0x4983e
29 050ff230 6d113043 730ad355 0d26eff8 00000000 AcroRd32!DllCanUnloadNow+0x49669
2a 050ff2a4 6d112a5f 6cf70000 007b0000 0d26eff8 AcroRd32!AcroWinMainSandbox+0x773
2b 050ff6c8 009959d0 6cf70000 007b0000 0d26eff8 AcroRd32!AcroWinMainSandbox+0x18f
2c 050ffa7c 009e1efa 007b0000 00000000 09b60018 AcroRd32_exe!IsSandboxedProcess+0x126030
2d 050ffac8 76eefcc9 04efe000 76eefcb0 050ffb34 AcroRd32_exe!AcroRd32IsBrokerProcess+0x1d54a
2e 050ffad8 77a77c6e 04efe000 e7a5770c 00000000 KERNEL32!BaseThreadInitThunk+0x19
2f 050ffb34 77a77c3e ffffffff 77a98c2b 00000000 ntdll!__RtlUserThreadStart+0x2f
30 050ffb44 00000000 00991640 04efe000 00000000 ntdll!_RtlUserThreadStart+0x1b
Using this vulnerability, it is possible to read arbitrary memory of the process. Because of complex interactions between PDF reader and font subcomponents, especially in the presence of a JavaScript engine, it is possible that sensitive contents of arbitrary memory could be disclosed which could aid in further exploitation and exploit mitigation bypass.
The vendor released a security bulletin at: https://helpx.adobe.com/security/products/acrobat/apsb24-07.html Patches can be found linked from this site
2024-01-11 - Vendor Disclosure
2024-02-13 - Vendor Patch Release
2024-02-15 - Public Release
Discovered by KPC of Cisco Talos.