CVE-2018-12857

MPS.dll + 0xE06E7 (id: a8f, no function symbol available)
MPS.dll + 0xDE49A (id: 451, no function symbol available)
MPS.dll + 0xDF735 (no function symbol available)
MPS.dll + 0xDE254 (no function symbol available)
MPS.dll + 0xDF593 (no function symbol available)
MPS.dll + 0xAA607 (no function symbol available)
MPS.dll + 0x6EA75 (no function symbol available)
MPS.dll + 0x5E8CF (no function symbol available)
MPS.dll + 0x5ECCC (no function symbol available)
ImageConversion.api + 0xA101 (no function symbol available)
ImageConversion.api + 0x18B5A (no function symbol available)

eax=00000002 ebx=374dcfee ecx=1a230fec edx=e5dcf020 esi=00000008 edi=1a230fe8
eip=705a06e7 esp=002bb83c ebp=002bc7b0 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
fpcw=027F: rn 53 puozdi  fpsw=0020: top=0 cc=0000 --p-----  fptw=FFFF
fopcode=0000  fpip=0000:7151263e  fpdp=0000:002bb644
st0= 0.000000000000000000000e+0000  st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000  st3= 0.000000000000000000000e+0000
st4= 1.000000000000000000000e+0000  st5= 1.600000000000000000000e+0001
st6= 6.250000000000000000000e-0002  st7= 6.553650000000000000000e+0004
mm0=0000000000000000  mm1=0000000000000000
mm2=0000000000000000  mm3=0000000000000000
mm4=8000000000000000  mm5=8000000000000000
mm6=8000000000000000  mm7=8000400000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 -0.254412 -8.02463e+025
xmm7=0 0 0.264585 -4.07363e+009
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
MPS!MPSRecognizeWMF+0x87f47:
705a06e7 8b043a          mov     eax,dword ptr [edx+edi] ds:002b:00000008=???????? 

705a0601 8b742424        mov     esi,dword ptr [esp+24h]
705a0605 89842480000000  mov     dword ptr [esp+80h],eax
705a060c 0f847b010000    je      MPS!MPSRecognizeWMF+0x87fed (705a078d)
705a0612 807c247800      cmp     byte ptr [esp+78h],0
705a0617 0f8470010000    je      MPS!MPSRecognizeWMF+0x87fed (705a078d)
705a061d 8a4801          mov     cl,byte ptr [eax+1]
705a0620 c6400101        mov     byte ptr [eax+1],1
705a0624 8b442414        mov     eax,dword ptr [esp+14h]
705a0628 884c2412        mov     byte ptr [esp+12h],cl
705a062c 8b8e98540900    mov     ecx,dword ptr [esi+95498h]
705a0632 89442450        mov     dword ptr [esp+50h],eax
705a0636 c1e002          shl     eax,2
705a0639 50              push    eax
705a063a 8b11            mov     edx,dword ptr [ecx]
705a063c 51              push    ecx
705a063d ff520c          call    dword ptr [edx+0Ch]
705a0640 8bf8            mov     edi,eax
705a0642 69863c8e04001c090000 imul eax,dword ptr [esi+48E3Ch],91Ch
705a064c 897c244c        mov     dword ptr [esp+4Ch],edi
705a0650 80bc300809000000 cmp     byte ptr [eax+esi+908h],0
705a0658 740f            je      MPS!MPSRecognizeWMF+0x87ec9 (705a0669)
705a065a 8b8c3020040000  mov     ecx,dword ptr [eax+esi+420h]
705a0661 51              push    ecx
705a0662 8b11            mov     edx,dword ptr [ecx]
705a0664 ff5220          call    dword ptr [edx+20h]
705a0667 eb0d            jmp     MPS!MPSRecognizeWMF+0x87ed6 (705a0676)
705a0669 8b84301c040000  mov     eax,dword ptr [eax+esi+41Ch]
705a0670 50              push    eax
705a0671 8b08            mov     ecx,dword ptr [eax]
705a0673 ff5120          call    dword ptr [ecx+20h]
705a0676 8b4c2420        mov     ecx,dword ptr [esp+20h]
705a067a 8944240c        mov     dword ptr [esp+0Ch],eax
705a067e 8b442448        mov     eax,dword ptr [esp+48h]
705a0682 0fafc1          imul    eax,ecx
705a0685 39442414        cmp     dword ptr [esp+14h],eax
705a0689 7577            jne     MPS!MPSRecognizeWMF+0x87f62 (705a0702)
705a068b 49              dec     ecx
705a068c 894c243c        mov     dword ptr [esp+3Ch],ecx
705a0690 85c9            test    ecx,ecx
705a0692 0f8ee1000000    jle     MPS!MPSRecognizeWMF+0x87fd9 (705a0779)
705a0698 8b44244c        mov     eax,dword ptr [esp+4Ch]
705a069c 8b742458        mov     esi,dword ptr [esp+58h]
705a06a0 8bd6            mov     edx,esi
705a06a2 2bd0            sub     edx,eax
705a06a4 8d4804          lea     ecx,[eax+4]
705a06a7 8b44243c        mov     eax,dword ptr [esp+3Ch]
705a06ab eb03            jmp     MPS!MPSRecognizeWMF+0x87f10 (705a06b0)
705a06ad 8d4900          lea     ecx,[ecx]
705a06b0 837c242c02      cmp     dword ptr [esp+2Ch],2
705a06b5 7530            jne     MPS!MPSRecognizeWMF+0x87f47 (705a06e7)
705a06b7 837c240c01      cmp     dword ptr [esp+0Ch],1
705a06bc 751d            jne     MPS!MPSRecognizeWMF+0x87f3b (705a06db)
705a06be 807c241300      cmp     byte ptr [esp+13h],0
705a06c3 7516            jne     MPS!MPSRecognizeWMF+0x87f3b (705a06db)
705a06c5 f30f10040a      movss   xmm0,dword ptr [edx+ecx]
705a06ca f30f5806        addss   xmm0,dword ptr [esi]
705a06ce c70100000000    mov     dword ptr [ecx],0
705a06d4 f30f1141fc      movss   dword ptr [ecx-4],xmm0
705a06d9 eb15            jmp     MPS!MPSRecognizeWMF+0x87f50 (705a06f0)
705a06db 8b06            mov     eax,dword ptr [esi]
705a06dd 8941fc          mov     dword ptr [ecx-4],eax
705a06e0 8b040a          mov     eax,dword ptr [edx+ecx]
705a06e3 8901            mov     dword ptr [ecx],eax
705a06e5 eb05            jmp     MPS!MPSRecognizeWMF+0x87f4c (705a06ec)
MPS!MPSRecognizeWMF+0x87f47:
705a06e7 8b043a          mov     eax,dword ptr [edx+edi] // current instruction
705a06ea 8907            mov     dword ptr [edi],eax
705a06ec 8b44243c        mov     eax,dword ptr [esp+3Ch]
705a06f0 83c608          add     esi,8
705a06f3 83c108          add     ecx,8
705a06f6 83c704          add     edi,4
705a06f9 48              dec     eax
705a06fa 8944243c        mov     dword ptr [esp+3Ch],eax
705a06fe 75b0            jne     MPS!MPSRecognizeWMF+0x87f10 (705a06b0)
705a0700 eb73            jmp     MPS!MPSRecognizeWMF+0x87fd5 (705a0775)
705a0702 8d41ff          lea     eax,[ecx-1]
705a0705 c744240c00000000 mov     dword ptr [esp+0Ch],0
705a070d 33d2            xor     edx,edx
705a070f 85c0            test    eax,eax
705a0711 7e66            jle     MPS!MPSRecognizeWMF+0x87fd9 (705a0779)
705a0713 8b742458        mov     esi,dword ptr [esp+58h]
705a0717 8d84245c060000  lea     eax,[esp+65Ch]
705a071e 2b44244c        sub     eax,dword ptr [esp+4Ch]
705a0722 89442434        mov     dword ptr [esp+34h],eax
705a0726 3b542450        cmp     edx,dword ptr [esp+50h]
705a072a 7d49            jge     MPS!MPSRecognizeWMF+0x87fd5 (705a0775)
705a072c 8b4c3804        mov     ecx,dword ptr [eax+edi+4]
705a0730 2b0c38          sub     ecx,dword ptr [eax+edi]
705a0733 c70700000000    mov     dword ptr [edi],0
705a0739 8b0496          mov     eax,dword ptr [esi+edx*4]
705a073c 42              inc     edx
705a073d 8907            mov     dword ptr [edi],eax
705a073f 83f901          cmp     ecx,1
705a0742 7614            jbe     MPS!MPSRecognizeWMF+0x87fb8 (705a0758)
705a0744 3b542450        cmp     edx,dword ptr [esp+50h]
705a0748 7d0e            jge     MPS!MPSRecognizeWMF+0x87fb8 (705a0758)
705a074a f30f100496      movss   xmm0,dword ptr [esi+edx*4]