CVE-2018-15929

verifier.dll!VerifierBreakin + 0x42 (this frame is irrelevant to this bug)
verifier.dll!VerifierCaptureContextAndReportStop + 0xF0 (this frame is irrelevant to this bug)
verifier.dll!VerifierStopMessage + 0x2C7 (this frame is irrelevant to this bug)
verifier.dll!AVrfpDphReportCorruptedBlock + 0x285 (this frame is irrelevant to this bug)
verifier.dll!AVrfpDphCheckPageHeapBlock + 0x1BC (this frame is irrelevant to this bug)
verifier.dll!AVrfpDphFindBusyMemory + 0xDA (this frame is irrelevant to this bug)
verifier.dll!AVrfpDphFindBusyMemoryAndRemoveFromBusyList + 0x20 (this frame is irrelevant to this bug)
verifier.dll!AVrfDebugPageHeapFree + 0x90 (this frame is irrelevant to this bug)
ntdll.dll!RtlDebugFreeHeap + 0x3E (this frame is irrelevant to this bug)
ntdll.dll!RtlpFreeHeap + 0x48011 (this frame is irrelevant to this bug)
ntdll.dll!RtlFreeHeap + 0x222 (this frame is irrelevant to this bug)
MSVCR120.dll!free + 0x1A (id: aa2) [[f:\dd\vctools\crt\crtw32\heap\free.c @ 51]]
Acrobat.dll + 0x6781E6 (id: 167, no function symbol available)
Acrobat.dll + 0x65E14D (no function symbol available)
Acrobat.dll + 0x65C57A (no function symbol available)

VERIFIER STOP 0000000F: pid 0x7320: corrupted suffix pattern 
        04611000 : Heap handle
        08F48F90 : Heap block
        0000006C : Block size
        08F48FFC : corruption address

7339ec73 ff00            inc     dword ptr [eax]
7339ec75 0000            add     byte ptr [eax],al
7339ec77 004000          add     byte ptr [eax],al
7339ec7a 0000            add     byte ptr [eax],al
7339ec7c 44              inc     esp
7339ec7d ec              in      al,dx
7339ec7e 397351          cmp     dword ptr [ebx+51h],esi
7339ec81 c70194ec3973    mov     dword ptr [ecx],offset MSVCR120!type_info::`vftable' (7339ec94)
7339ec87 e8f8f70800      call    MSVCR120!type_info::_Type_info_dtor_internal (7342e484)
7339ec8c 59              pop     ecx
7339ec8d c3              ret
MSVCR120!type_info::operator== [f:\dd\vctools\crt\crtw32\eh\typinfo.cpp @ 72]:
7339ec8e 90              nop
7339ec8f 90              nop
7339ec90 98              cwde
7339ec91 ec              in      al,dx
7339ec92 397334          cmp     dword ptr [ebx+34h],esi
7339ec95 de4273          fiadd   word ptr [edx+73h]
MSVCR120!type_info::`RTTI Complete Object Locator':
7339ec98 0000            add     byte ptr [eax],al
7339ec9a 0000            add     byte ptr [eax],al
7339ec9c 0000            add     byte ptr [eax],al
7339ec9e 0000            add     byte ptr [eax],al
7339eca0 0000            add     byte ptr [eax],al
7339eca2 0000            add     byte ptr [eax],al
7339eca4 d8f5            fdiv    st,st(5)
7339eca6 46              inc     esi
7339eca7 73ac            jae     MSVCR120!std::__non_rtti_object::`RTTI Base Class Array'+0x1 (7339ec55)
7339eca9 ec              in      al,dx
7339ecaa 397300          cmp     dword ptr [ebx],esi
7339ecad 0000            add     byte ptr [eax],al
7339ecaf 0000            add     byte ptr [eax],al
7339ecb1 0000            add     byte ptr [eax],al
7339ecb3 0001            add     byte ptr [ecx],al
7339ecb5 0000            add     byte ptr [eax],al
7339ecb7 00bcec3973c4ec  add     byte ptr [esp+ebp*8-133B8CC7h],bh
7339ecbe 397300          cmp     dword ptr [ebx],esi
7339ecc1 90              nop
7339ecc2 90              nop
7339ecc3 90              nop
MSVCR120!type_info::`RTTI Base Class Descriptor at (0,-1,0,64)':
7339ecc4 d8f5            fdiv    st,st(5)
7339ecc6 46              inc     esi
7339ecc7 7300            jae     MSVCR120!type_info::`RTTI Base Class Descriptor at (0,-1,0,64)'+0x5 (7339ecc9)
7339ecc9 0000            add     byte ptr [eax],al
7339eccb 0000            add     byte ptr [eax],al
7339eccd 0000            add     byte ptr [eax],al
7339eccf 00ff            add     bh,bh
7339ecd1 ff              ???
7339ecd2 ff              ???
7339ecd3 ff00            inc     dword ptr [eax]
7339ecd5 0000            add     byte ptr [eax],al
7339ecd7 004000          add     byte ptr [eax],al
7339ecda 0000            add     byte ptr [eax],al
7339ecdc ac              lods    byte ptr [esi]
7339ecdd ec              in      al,dx
7339ecde 397355          cmp     dword ptr [ebx+55h],esi
7339ece1 8bec            mov     ebp,esp
7339ece3 837d0800        cmp     dword ptr [ebp+8],0
7339ece7 7419            je      MSVCR120!free+0x36 (7339ed02)
7339ece9 ff7508          push    dword ptr [ebp+8]
7339ecec 6a00            push    0
7339ecee ff35b0f74673    push    dword ptr [MSVCR120!_crtheap (7346f7b0)]
7339ecf4 ff15e4514773    call    dword ptr [MSVCR120!_imp__HeapFree (734751e4)] // call
MSVCR120!free+0x1a [f:\dd\vctools\crt\crtw32\heap\free.c @ 51]:
7339ecfa 85c0            test    eax,eax // return address
7339ecfc 0f8469ed0400    je      MSVCR120!free+0x1e (733eda6b)
7339ed02 5d              pop     ebp
7339ed03 c3              ret
MSVCR120!malloc [f:\dd\vctools\crt\crtw32\heap\malloc.c @ 84]:
7339ed04 90              nop
7339ed05 90              nop
7339ed06 90              nop
7339ed07 90              nop
7339ed08 90              nop
7339ed09 90              nop
7339ed0a 90              nop
7339ed0b 90              nop
7339ed0c 90              nop
7339ed0d 90              nop
7339ed0e 90              nop
7339ed0f 90              nop
MSVCR120!__crtFlsGetValue [f:\dd\vctools\crt\crtw32\misc\winapisupp.c @ 415]:
7339ed10 55              push    ebp
7339ed11 8bec            mov     ebp,esp
7339ed13 a108fa4673      mov     eax,dword ptr [MSVCR120!encodedKERNEL32Functions+0x8 (7346fa08)]
7339ed18 3305b8f74673    xor     eax,dword ptr [MSVCR120!__security_cookie (7346f7b8)]
7339ed1e ff7508          push    dword ptr [ebp+8]
7339ed21 0f844e040500    je      MSVCR120!__crtFlsGetValue+0x17 (733ef175)
7339ed27 ffd0            call    eax
7339ed29 5d              pop     ebp
7339ed2a c3              ret
7339ed2b 90              nop
7339ed2c 90              nop
7339ed2d 90              nop
7339ed2e 90              nop
7339ed2f 90              nop