CVE-2018-12839
Information
Out of bound read due to malformed jpeg being parsed in JP2KLib.dll.
Crash Dump:
Stack
JP2KLib.dll + 0x4610B (id: 33f, no function symbol available)
JP2KLib.dll + 0x4F86C (id: 506, no function symbol available)
JP2KLib.dll!JP2KImageInitDecoderEx + 0x24
Registers
eax=07955f98 ebx=00c90fb8 ecx=00cae000 edx=0000000d esi=fffff9eb edi=00000019
eip=6f05610b esp=004ff6f0 ebp=004ff710 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
fpcw=027F: rn 53 puozdi fpsw=0000: top=0 cc=0000 -------- fptw=FFFF
fopcode=0000 fpip=0000:00000000 fpdp=0000:00000000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000
st6= 0.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=0000000000000000
mm6=0000000000000000 mm7=0000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 0
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
JP2KLib!JP2KCopyRect+0x167d:
6f05610b 8a01 mov al,byte ptr [ecx] ds:002b:00cae000=??
Disassembly of stack frame 1 at JP2KLib.dll + 0x4610B
6f056058 2bf0 sub esi,eax
6f05605a 8b421c mov eax,dword ptr [edx+1Ch]
6f05605d 85c0 test eax,eax
6f05605f 740f je JP2KLib!JP2KCopyRect+0x15e2 (6f056070)
6f056061 50 push eax
6f056062 e8830f0200 call JP2KLib!JP2KTileGeometryRegionIsTile+0x1b8 (6f076fea)
6f056067 8b55f8 mov edx,dword ptr [ebp-8]
6f05606a 33c0 xor eax,eax
6f05606c 59 pop ecx
6f05606d 89421c mov dword ptr [edx+1Ch],eax
6f056070 8b422c mov eax,dword ptr [edx+2Ch]
6f056073 6a01 push 1
6f056075 8d048504000000 lea eax,[eax*4+4]
6f05607c 50 push eax
6f05607d e87b0e0200 call JP2KLib!JP2KTileGeometryRegionIsTile+0xcb (6f076efd)
6f056082 59 pop ecx
6f056083 59 pop ecx
6f056084 8b4df8 mov ecx,dword ptr [ebp-8]
6f056087 89411c mov dword ptr [ecx+1Ch],eax
6f05608a 8b4120 mov eax,dword ptr [ecx+20h]
6f05608d 85c0 test eax,eax
6f05608f 740f je JP2KLib!JP2KCopyRect+0x1612 (6f0560a0)
6f056091 50 push eax
6f056092 e8530f0200 call JP2KLib!JP2KTileGeometryRegionIsTile+0x1b8 (6f076fea)
6f056097 59 pop ecx
6f056098 8b4df8 mov ecx,dword ptr [ebp-8]
6f05609b 33c0 xor eax,eax
6f05609d 894120 mov dword ptr [ecx+20h],eax
6f0560a0 8b412c mov eax,dword ptr [ecx+2Ch]
6f0560a3 6a01 push 1
6f0560a5 8d048504000000 lea eax,[eax*4+4]
6f0560ac 50 push eax
6f0560ad e84b0e0200 call JP2KLib!JP2KTileGeometryRegionIsTile+0xcb (6f076efd)
6f0560b2 59 pop ecx
6f0560b3 59 pop ecx
6f0560b4 8b4df8 mov ecx,dword ptr [ebp-8]
6f0560b7 8379140f cmp dword ptr [ecx+14h],0Fh
6f0560bb 894120 mov dword ptr [ecx+20h],eax
6f0560be 752b jne JP2KLib!JP2KCopyRect+0x165d (6f0560eb)
6f0560c0 8379180f cmp dword ptr [ecx+18h],0Fh
6f0560c4 7525 jne JP2KLib!JP2KCopyRect+0x165d (6f0560eb)
6f0560c6 33c0 xor eax,eax
6f0560c8 8bd0 mov edx,eax
6f0560ca 39412c cmp dword ptr [ecx+2Ch],eax
6f0560cd 7c6f jl JP2KLib!JP2KCopyRect+0x16b0 (6f05613e)
6f0560cf 8b411c mov eax,dword ptr [ecx+1Ch]
6f0560d2 c704900f000000 mov dword ptr [eax+edx*4],0Fh
6f0560d9 8b4120 mov eax,dword ptr [ecx+20h]
6f0560dc c704900f000000 mov dword ptr [eax+edx*4],0Fh
6f0560e3 42 inc edx
6f0560e4 3b512c cmp edx,dword ptr [ecx+2Ch]
6f0560e7 7ee6 jle JP2KLib!JP2KCopyRect+0x1641 (6f0560cf)
6f0560e9 eb53 jmp JP2KLib!JP2KCopyRect+0x16b0 (6f05613e)
6f0560eb 8b45f4 mov eax,dword ptr [ebp-0Ch]
6f0560ee 2b45ec sub eax,dword ptr [ebp-14h]
6f0560f1 03c6 add eax,esi
6f0560f3 3b412c cmp eax,dword ptr [ecx+2Ch]
6f0560f6 0f821b0c0000 jb JP2KLib!JP2KCopyRect+0x2289 (6f056d17)
6f0560fc 33c0 xor eax,eax
6f0560fe 39412c cmp dword ptr [ecx+2Ch],eax
6f056101 7c3b jl JP2KLib!JP2KCopyRect+0x16b0 (6f05613e)
6f056103 8bf8 mov edi,eax
6f056105 8b4b10 mov ecx,dword ptr [ebx+10h]
6f056108 ff431c inc dword ptr [ebx+1Ch]
JP2KLib!JP2KCopyRect+0x167d:
6f05610b 8a01 mov al,byte ptr [ecx] // current instruction
6f05610d 884318 mov byte ptr [ebx+18h],al
6f056110 8d4101 lea eax,[ecx+1]
6f056113 0fb65318 movzx edx,byte ptr [ebx+18h]
6f056117 894310 mov dword ptr [ebx+10h],eax
6f05611a 8bca mov ecx,edx
6f05611c 8b45f8 mov eax,dword ptr [ebp-8]
6f05611f 83e10f and ecx,0Fh
6f056122 c1ea04 shr edx,4
6f056125 4e dec esi
6f056126 8b401c mov eax,dword ptr [eax+1Ch]
6f056129 890cb8 mov dword ptr [eax+edi*4],ecx
6f05612c 8b4df8 mov ecx,dword ptr [ebp-8]
6f05612f 8b4120 mov eax,dword ptr [ecx+20h]
6f056132 8914b8 mov dword ptr [eax+edi*4],edx
6f056135 47 inc edi
6f056136 3b792c cmp edi,dword ptr [ecx+2Ch]
6f056139 7eca jle JP2KLib!JP2KCopyRect+0x1677 (6f056105)
6f05613b 8b7d08 mov edi,dword ptr [ebp+8]
6f05613e 8b411c mov eax,dword ptr [ecx+1Ch]
6f056141 8b00 mov eax,dword ptr [eax]
6f056143 894114 mov dword ptr [ecx+14h],eax
6f056146 8b4120 mov eax,dword ptr [ecx+20h]
6f056149 8b00 mov eax,dword ptr [eax]
6f05614b 894118 mov dword ptr [ecx+18h],eax
6f05614e e9d1f6ffff jmp JP2KLib!JP2KCopyRect+0xd96 (6f055824)
6f056153 6a02 push 2
6f056155 58 pop eax
6f056156 50 push eax
6f056157 8bcb mov ecx,ebx
6f056159 e8bd51fcff call JP2KLib!JP2KUserActions::operator=+0xa07b (6f01b31b)
6f05615e 803f00 cmp byte ptr [edi],0
PoC
attached
Attachments:
OOBR@0x4610B.bin
OOBR@0x4610B.pdf
References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html
https://research.checkpoint.com/50-adobe-cves-in-50-days/