BugId RAF[0x808]@8 b2c.d21 @ acrord32.exe!axsle.dll+0x42571 summary

BugId:	RAF[0x808]@8 b2c.d21
Location:	acrord32.exe!axsle.dll+0x42571
Description:	An Access Violation exception happened at 0x57F5A800 while attempting to read freed memory at 0x57F5A800; 8 bytes into a 2056/0x808 bytes heap block at 0x57F5A7F8. This indicates a Use-After-Free (UAF) bug was triggered.
Version:	AcroRd32.exe: 18.11.20035.2003 (x86) AXSLE.dll: 3.9.0.38656 (x86)
Security impact:	Potentially exploitable security issue that might allow information disclosure and (less likely) arbitrary code execution.
Arguments:	['/n', 'UAFR[0x808]@0x42571.pdf']

BugId version 2018-11-21 19:42 by SkyLined. Licensed to netanelbs for commercial use.

Stack

AXSLE.dll + 0x42571 (id: b2c, no function symbol available)
AXSLE.dll + 0x42CCF (id: d21, no function symbol available)
AXSLE.dll + 0x3E7FE (no function symbol available)
AXSLE.dll + 0x3DFF1 (no function symbol available)
AXSLE.dll + 0x405BC (no function symbol available)
AXSLE.dll + 0x429F1 (no function symbol available)
AXSLE.dll + 0x429A7 (no function symbol available)
AXSLE.dll + 0x3D54E (no function symbol available)
AXSLE.dll + 0x3D4BC (no function symbol available)
AXSLE.dll + 0x3800A (no function symbol available)
AXSLE.dll + 0x38922 (no function symbol available)
AXSLE.dll + 0x38883 (no function symbol available)
AXSLE.dll + 0x34D31 (no function symbol available)
AXSLE.dll + 0x1B5BD (no function symbol available)
AXSLE.dll + 0x1B238 (no function symbol available)
AXSLE.dll + 0x17286 (no function symbol available)
AXSLE.dll + 0x6593 (no function symbol available)
AXSLE.dll + 0x6BBB (no function symbol available)
AcroForm.api + 0x468EFF (no function symbol available)
AcroForm.api + 0x468E75 (no function symbol available)
AcroForm.api + 0x464399 (no function symbol available)
AcroForm.api + 0x456C28 (no function symbol available)
AcroForm.api + 0x5D3874 (no function symbol available)
AcroForm.api + 0x5D28B9 (no function symbol available)
AcroForm.api + 0x5DCB5E (no function symbol available)
ntdll.dll!RtlpFreeHeap + ? (the exact offset is not known)
ntdll.dll!RtlFreeHeap + 0x222
MSVCR120.dll!free + 0x1A [[f:\dd\vctools\crt\crtw32\heap\free.c @ 51]]
EScript.api + 0x-18FCFD9 (no function symbol available)
EScript.api + 0x3C67E (no function symbol available)
EScript.api + 0x3DB4D (no function symbol available)

⇓ click on the title of a section to open or close it.

Registers

eax = 0x15126000	xmm0 = 0x0
ebx = 0x57F5A800	xmm1 = 0x0
ecx = 0xD9A190	xmm2 = 0x0
edx = 0xD9A184	xmm3 = 0x0
esi = 0x57F5A800	xmm4 = 0x0
edi = 0x59A00DC8	xmm5 = 0x0
esp = 0xD9A15C	xmm6 = 0x0
ebp = 0xD9A168	xmm7 = 0x0

⇓ click on the title of a section to open or close it.

Disassembly of stack frame 1 at AXSLE.dll + 0x42571

6a9c24c3	55	push ebp
6a9c24c4	8bec	mov ebp,esp
6a9c24c6	56	push esi
6a9c24c7	ff7514	push dword ptr [ebp+14h]
6a9c24ca	8b7508	mov esi,dword ptr [ebp+8]
6a9c24cd	ff7510	push dword ptr [ebp+10h]
6a9c24d0	ff750c	push dword ptr [ebp+0Ch]
6a9c24d3	56	push esi
6a9c24d4	e8f5fcffff	call AXSLE!AXE_TransformerTerminate+0x3c504 (6a9c21ce)
6a9c24d9	83c410	add esp,10h
6a9c24dc	85c0	test eax,eax
6a9c24de	7504	jne AXSLE!AXE_TransformerTerminate+0x3c81a (6a9c24e4)
6a9c24e0	33c0	xor eax,eax
6a9c24e2	eb1f	jmp AXSLE!AXE_TransformerTerminate+0x3c839 (6a9c2503)
6a9c24e4	8b460c	mov eax,dword ptr [esi+0Ch]
6a9c24e7	3b4608	cmp eax,dword ptr [esi+8]
6a9c24ea	750b	jne AXSLE!AXE_TransformerTerminate+0x3c82d (6a9c24f7)
6a9c24ec	56	push esi
6a9c24ed	e87ffeffff	call AXSLE!AXE_TransformerTerminate+0x3c6a7 (6a9c2371)
6a9c24f2	59	pop ecx
6a9c24f3	84c0	test al,al
6a9c24f5	74e9	je AXSLE!AXE_TransformerTerminate+0x3c816 (6a9c24e0)
6a9c24f7	8b4e0c	mov ecx,dword ptr [esi+0Ch]
6a9c24fa	c60100	mov byte ptr [ecx],0
6a9c24fd	ff460c	inc dword ptr [esi+0Ch]
6a9c2500	8b4610	mov eax,dword ptr [esi+10h]
6a9c2503	5e	pop esi
6a9c2504	5d	pop ebp
6a9c2505	c3	ret
6a9c2506	55	push ebp
6a9c2507	8bec	mov ebp,esp
6a9c2509	53	push ebx
6a9c250a	56	push esi
6a9c250b	57	push edi
6a9c250c	8b7d08	mov edi,dword ptr [ebp+8]
6a9c250f	ff750c	push dword ptr [ebp+0Ch]
6a9c2512	8d87c8010000	lea eax,[edi+1C8h]
6a9c2518	50	push eax
6a9c2519	e807fdffff	call AXSLE!AXE_TransformerTerminate+0x3c55b (6a9c2225)
6a9c251e	59	pop ecx
6a9c251f	59	pop ecx
6a9c2520	8b8fd4010000	mov ecx,dword ptr [edi+1D4h]
6a9c2526	8bd8	mov ebx,eax
6a9c2528	8bf3	mov esi,ebx
6a9c252a	3b8fd0010000	cmp ecx,dword ptr [edi+1D0h]
6a9c2530	7511	jne AXSLE!AXE_TransformerTerminate+0x3c879 (6a9c2543)
6a9c2532	8d87c8010000	lea eax,[edi+1C8h]
6a9c2538	50	push eax
6a9c2539	e833feffff	call AXSLE!AXE_TransformerTerminate+0x3c6a7 (6a9c2371)
6a9c253e	59	pop ecx
6a9c253f	84c0	test al,al
6a9c2541	740f	je AXSLE!AXE_TransformerTerminate+0x3c888 (6a9c2552)
6a9c2543	8b87d4010000	mov eax,dword ptr [edi+1D4h]
6a9c2549	c60000	mov byte ptr [eax],0
6a9c254c	ff87d4010000	inc dword ptr [edi+1D4h]
6a9c2552	8b4d14	mov ecx,dword ptr [ebp+14h]
6a9c2555	8b5510	mov edx,dword ptr [ebp+10h]
6a9c2558	832100	and dword ptr [ecx],0
6a9c255b	832200	and dword ptr [edx],0
6a9c255e	80bffc00000000	cmp byte ptr [edi+0FCh],0
6a9c2565	744c	je AXSLE!AXE_TransformerTerminate+0x3c8e9 (6a9c25b3)
6a9c2567	8aa7e8010000	mov ah,byte ptr [edi+1E8h]
6a9c256d	84e4	test ah,ah
6a9c256f	7442	je AXSLE!AXE_TransformerTerminate+0x3c8e9 (6a9c25b3)
6a9c2571	8a03	mov al,byte ptr [ebx] // current instruction
6a9c2573	eb07	jmp AXSLE!AXE_TransformerTerminate+0x3c8b2 (6a9c257c)
6a9c2575	3ac4	cmp al,ah
6a9c2577	7407	je AXSLE!AXE_TransformerTerminate+0x3c8b6 (6a9c2580)
6a9c2579	46	inc esi
6a9c257a	8a06	mov al,byte ptr [esi]
6a9c257c	84c0	test al,al
6a9c257e	75f5	jne AXSLE!AXE_TransformerTerminate+0x3c8ab (6a9c2575)
6a9c2580	803e00	cmp byte ptr [esi],0
6a9c2583	742e	je AXSLE!AXE_TransformerTerminate+0x3c8e9 (6a9c25b3)
6a9c2585	46	inc esi
6a9c2586	8931	mov dword ptr [ecx],esi
6a9c2588	80bffd00000000	cmp byte ptr [edi+0FDh],0
6a9c258f	7422	je AXSLE!AXE_TransformerTerminate+0x3c8e9 (6a9c25b3)
6a9c2591	803e00	cmp byte ptr [esi],0
6a9c2594	741d	je AXSLE!AXE_TransformerTerminate+0x3c8e9 (6a9c25b3)
6a9c2596	8a87e8010000	mov al,byte ptr [edi+1E8h]
6a9c259c	3806	cmp byte ptr [esi],al
6a9c259e	7406	je AXSLE!AXE_TransformerTerminate+0x3c8dc (6a9c25a6)
6a9c25a0	46	inc esi
6a9c25a1	803e00	cmp byte ptr [esi],0
6a9c25a4	75f6	jne AXSLE!AXE_TransformerTerminate+0x3c8d2 (6a9c259c)
6a9c25a6	803e00	cmp byte ptr [esi],0
6a9c25a9	7408	je AXSLE!AXE_TransformerTerminate+0x3c8e9 (6a9c25b3)
6a9c25ab	8d4601	lea eax,[esi+1]
6a9c25ae	8902	mov dword ptr [edx],eax
6a9c25b0	c60600	mov byte ptr [esi],0
6a9c25b3	833900	cmp dword ptr [ecx],0
6a9c25b6	7523	jne AXSLE!AXE_TransformerTerminate+0x3c911 (6a9c25db)
6a9c25b8	803b00	cmp byte ptr [ebx],0
6a9c25bb	8bc3	mov eax,ebx
6a9c25bd	7415	je AXSLE!AXE_TransformerTerminate+0x3c90a (6a9c25d4)
6a9c25bf	80383a	cmp byte ptr [eax],3Ah
6a9c25c2	7408	je AXSLE!AXE_TransformerTerminate+0x3c902 (6a9c25cc)
6a9c25c4	40	inc eax
6a9c25c5	803800	cmp byte ptr [eax],0
6a9c25c8	75f5	jne AXSLE!AXE_TransformerTerminate+0x3c8f5 (6a9c25bf)
6a9c25ca	eb08	jmp AXSLE!AXE_TransformerTerminate+0x3c90a (6a9c25d4)
6a9c25cc	891a	mov dword ptr [edx],ebx
6a9c25ce	c60000	mov byte ptr [eax],0
6a9c25d1	40	inc eax
6a9c25d2	8901	mov dword ptr [ecx],eax
6a9c25d4	833900	cmp dword ptr [ecx],0
6a9c25d7	7502	jne AXSLE!AXE_TransformerTerminate+0x3c911 (6a9c25db)
6a9c25d9	8919	mov dword ptr [ecx],ebx
6a9c25db	5f	pop edi
6a9c25dc	5e	pop esi
6a9c25dd	5b	pop ebx
6a9c25de	5d	pop ebp
6a9c25df	c3	ret

⇓ click on the title of a section to open or close it.

Disassembly of stack frame 2 at AXSLE.dll + 0x42CCF

6a9c2c3b	5d	pop ebp
6a9c2c3c	c3	ret
6a9c2c3d	55	push ebp
6a9c2c3e	8bec	mov ebp,esp
6a9c2c40	53	push ebx
6a9c2c41	56	push esi
6a9c2c42	8b7508	mov esi,dword ptr [ebp+8]
6a9c2c45	57	push edi
6a9c2c46	83be0c02000000	cmp dword ptr [esi+20Ch],0
6a9c2c4d	7456	je AXSLE!AXE_TransformerTerminate+0x3cfdb (6a9c2ca5)
6a9c2c4f	837d0c00	cmp dword ptr [ebp+0Ch],0
6a9c2c53	7450	je AXSLE!AXE_TransformerTerminate+0x3cfdb (6a9c2ca5)
6a9c2c55	8b4518	mov eax,dword ptr [ebp+18h]
6a9c2c58	85c0	test eax,eax
6a9c2c5a	7449	je AXSLE!AXE_TransformerTerminate+0x3cfdb (6a9c2ca5)
6a9c2c5c	8b4d1c	mov ecx,dword ptr [ebp+1Ch]
6a9c2c5f	85c9	test ecx,ecx
6a9c2c61	7442	je AXSLE!AXE_TransformerTerminate+0x3cfdb (6a9c2ca5)
6a9c2c63	3bc1	cmp eax,ecx
6a9c2c65	743e	je AXSLE!AXE_TransformerTerminate+0x3cfdb (6a9c2ca5)
6a9c2c67	51	push ecx
6a9c2c68	50	push eax
6a9c2c69	ff7514	push dword ptr [ebp+14h]
6a9c2c6c	8d9ec8010000	lea ebx,[esi+1C8h]
6a9c2c72	53	push ebx
6a9c2c73	e84bf8ffff	call AXSLE!AXE_TransformerTerminate+0x3c7f9 (6a9c24c3)
6a9c2c78	8bf8	mov edi,eax
6a9c2c7a	83c410	add esp,10h
6a9c2c7d	85ff	test edi,edi
6a9c2c7f	7424	je AXSLE!AXE_TransformerTerminate+0x3cfdb (6a9c2ca5)
6a9c2c81	57	push edi
6a9c2c82	e8d3f0ffff	call AXSLE!AXE_TransformerTerminate+0x3c090 (6a9c1d5a)
6a9c2c87	57	push edi
6a9c2c88	ff7510	push dword ptr [ebp+10h]
6a9c2c8b	ff750c	push dword ptr [ebp+0Ch]
6a9c2c8e	ff7604	push dword ptr [esi+4]
6a9c2c91	ff960c020000	call dword ptr [esi+20Ch]
6a9c2c97	83c414	add esp,14h
6a9c2c9a	85c0	test eax,eax
6a9c2c9c	740a	je AXSLE!AXE_TransformerTerminate+0x3cfde (6a9c2ca8)
6a9c2c9e	53	push ebx
6a9c2c9f	e8bcf5ffff	call AXSLE!AXE_TransformerTerminate+0x3c596 (6a9c2260)
6a9c2ca4	59	pop ecx
6a9c2ca5	33c0	xor eax,eax
6a9c2ca7	40	inc eax
6a9c2ca8	5f	pop edi
6a9c2ca9	5e	pop esi
6a9c2caa	5b	pop ebx
6a9c2cab	5d	pop ebp
6a9c2cac	c3	ret
6a9c2cad	55	push ebp
6a9c2cae	8bec	mov ebp,esp
6a9c2cb0	51	push ecx
6a9c2cb1	56	push esi
6a9c2cb2	8b7508	mov esi,dword ptr [ebp+8]
6a9c2cb5	83be1802000000	cmp dword ptr [esi+218h],0
6a9c2cbc	7434	je AXSLE!AXE_TransformerTerminate+0x3d028 (6a9c2cf2)
6a9c2cbe	8d4508	lea eax,[ebp+8]
6a9c2cc1	50	push eax
6a9c2cc2	8d45fc	lea eax,[ebp-4]
6a9c2cc5	50	push eax
6a9c2cc6	ff750c	push dword ptr [ebp+0Ch]
6a9c2cc9	56	push esi
6a9c2cca	e837f8ffff	call AXSLE!AXE_TransformerTerminate+0x3c83c (6a9c2506) // call
6a9c2ccf	ff7510	push dword ptr [ebp+10h] // return address
6a9c2cd2	ff7508	push dword ptr [ebp+8]
6a9c2cd5	ff75fc	push dword ptr [ebp-4]
6a9c2cd8	ff7604	push dword ptr [esi+4]
6a9c2cdb	ff9618020000	call dword ptr [esi+218h]
6a9c2ce1	8b86d8010000	mov eax,dword ptr [esi+1D8h]
6a9c2ce7	83c420	add esp,20h
6a9c2cea	8986d4010000	mov dword ptr [esi+1D4h],eax
6a9c2cf0	eb0f	jmp AXSLE!AXE_TransformerTerminate+0x3d037 (6a9c2d01)
6a9c2cf2	ff7510	push dword ptr [ebp+10h]
6a9c2cf5	ff750c	push dword ptr [ebp+0Ch]
6a9c2cf8	ff7604	push dword ptr [esi+4]
6a9c2cfb	ff5634	call dword ptr [esi+34h]
6a9c2cfe	83c40c	add esp,0Ch
6a9c2d01	5e	pop esi
6a9c2d02	8be5	mov esp,ebp
6a9c2d04	5d	pop ebp
6a9c2d05	c3	ret
6a9c2d06	55	push ebp
6a9c2d07	8bec	mov ebp,esp
6a9c2d09	53	push ebx
6a9c2d0a	56	push esi
6a9c2d0b	8b7508	mov esi,dword ptr [ebp+8]
6a9c2d0e	57	push edi
6a9c2d0f	8b7d0c	mov edi,dword ptr [ebp+0Ch]
6a9c2d12	8bdf	mov ebx,edi
6a9c2d14	8b9674010000	mov edx,dword ptr [esi+174h]
6a9c2d1a	895508	mov dword ptr [ebp+8],edx
6a9c2d1d	803f00	cmp byte ptr [edi],0
6a9c2d20	0f840e020000	je AXSLE!AXE_TransformerTerminate+0x3d26a (6a9c2f34)
6a9c2d26	8a03	mov al,byte ptr [ebx]
6a9c2d28	3c0c	cmp al,0Ch
6a9c2d2a	0f8494010000	je AXSLE!AXE_TransformerTerminate+0x3d1fa (6a9c2ec4)
6a9c2d30	84c0	test al,al
6a9c2d32	0f848c010000	je AXSLE!AXE_TransformerTerminate+0x3d1fa (6a9c2ec4)
6a9c2d38	3c3d	cmp al,3Dh
6a9c2d3a	0f8552010000	jne AXSLE!AXE_TransformerTerminate+0x3d1c8 (6a9c2e92)
6a9c2d40	8b8ebc010000	mov ecx,dword ptr [esi+1BCh]
6a9c2d46	8bc1	mov eax,ecx
6a9c2d48	2b86c0010000	sub eax,dword ptr [esi+1C0h]
6a9c2d4e	750e	jne AXSLE!AXE_TransformerTerminate+0x3d094 (6a9c2d5e)
6a9c2d50	8d8298000000	lea eax,[edx+98h]
6a9c2d56	89450c	mov dword ptr [ebp+0Ch],eax
6a9c2d59	e983000000	jmp AXSLE!AXE_TransformerTerminate+0x3d117 (6a9c2de1)
6a9c2d5e	3b8eb8010000	cmp ecx,dword ptr [esi+1B8h]
6a9c2d64	7518	jne AXSLE!AXE_TransformerTerminate+0x3d0b4 (6a9c2d7e)
6a9c2d66	8d86b0010000	lea eax,[esi+1B0h]
6a9c2d6c	50	push eax
6a9c2d6d	e8fff5ffff	call AXSLE!AXE_TransformerTerminate+0x3c6a7 (6a9c2371)
6a9c2d72	59	pop ecx

⇓ click on the title of a section to open or close it.

Binary information

AcroRd32.exe

Image path	AcroRd32.exe
Image name	AcroRd32.exe
Timestamp	Fri Feb 2 20:19:02 2018 (5A74AB96)
CheckSum	00233D1F
ImageSize	0022F000
File version	18.11.20035.2003
Product version	18.11.20035.2003
File flags	0 (Mask 3F)
File OS	50004 CE Win32
File type	1.0 App
File date	00000000.00000000
Translations	0409.04e4
CompanyName	Adobe Systems Incorporated
ProductName	Adobe Acrobat Reader DC
OriginalFilename	AcroRd32.exe
ProductVersion	18.11.20035.264147
FileVersion	18.11.20035.264147
FileDescription	Adobe Acrobat Reader DC
LegalCopyright	Copyright 1984-2017 Adobe Systems Incorporated and its licensors. All rights reserved.

AXSLE.dll

Loaded symbol image file	c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll
Image path	c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll
Image name	AXSLE.dll
Timestamp	Wed Jun 21 23:44:01 2017 (594AE8A1)
CheckSum	0009FEE4
ImageSize	0009C000
File version	3.9.0.38656
Product version	3.9.0.1
File flags	0 (Mask 3F)
File OS	4 Unknown Win32
File type	2.0 Dll
File date	00000000.00000000
Translations	0800.04b0
CompanyName	Adobe Systems Incorporated
ProductName	AXSLE 2017/06/22-02:38:56
InternalName	AXSLE
OriginalFilename	AXSLE.dll
ProductVersion	84.584092
FileVersion	3.9.0.38656
FileDescription	Adobe XSLT Engine
LegalCopyright	⌐ 2002-2010 Adobe Systems Incorporated

⇓ click on the title of a section to open or close it.

Application and cdb output log

*** wait with pending attach
************* Path validation summary **************
Response Time (ms) Location
Deferred cache*
Deferred srv*http://msdl.microsoft.com/download/symbols
Deferred symsrv*symsrv.dll*C:\Windows\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: cache*;srv*http://msdl.microsoft.com/download/symbols;symsrv*symsrv.dll*C:\Windows\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Page heap: pid 0x4EE8: page heap enabled with flags 0x3.
Page heap: pid 0x4EE8: page heap enabled with flags 0x3.
Proxy object acquired for read by thread 18860.
Thread 18860 releasing Proxy object acquired for read.
(4ee8.4ef4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll -

⇓ click on the title of a section to open or close it.