Information

Out of bound read due to malformed GIF while being parsed in 2d.x3d

Crash Dump:

Stack

2d.x3d + 0x3613 (id: 5d5, no function symbol available)
2d.x3d + 0x3F00 (id: d6d, no function symbol available)
2d.x3d + 0x28B2 (no function symbol available)
rt3d.dll + 0x1076DD (no function symbol available)
rt3d.dll + 0xCACC7 (no function symbol available)
rt3d.dll!GetPicture + 0x2E

Registers

eax=00002c00 ebx=00000000 ecx=00000002 edx=00002c00 esi=00000002 edi=010fb690
eip=6e203613 esp=010fa654 ebp=010fb664 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
fpcw=027F: rn 53 puozdi  fpsw=4020: top=0 cc=1000 --p-----  fptw=FFFF
fopcode=0000  fpip=0000:6e4e5d0c  fpdp=0000:00000000
st0= 0.000000000000000000000e+0000  st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000  st3= 5.300000000000000000000e+0001
st4= 5.000000000000000000000e+0000  st5= 4.800000000000000000000e+0001
st6= 1.000000000000000000000e+0000  st7= 0.000000000000000000000e+0000
mm0=0000000000000000  mm1=0000000000000000
mm2=0000000000000000  mm3=d400000000000000
mm4=a000000000000000  mm5=c000000000000000
mm6=8000000000000000  mm7=0000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0.0213317 4.23622e-037 0.0252379 4.23622e-037
xmm7=0.0213317 4.23622e-037 0.0138976 7.51864e+029
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
2d!E3DLLFunc+0x1755:
6e203613 8a8497a0010000  mov     al,byte ptr [edi+edx*4+1A0h] ds:002b:01106830=?? 

Disassembly of stack frame 1 at 2d.x3d + 0x3613

6e20354a 8d4101          lea     eax,[ecx+1]
6e20354d 888294010000    mov     byte ptr [edx+194h],al
6e203553 b800100000      mov     eax,1000h
6e203558 668982a8410000  mov     word ptr [edx+41A8h],ax
6e20355f 33c0            xor     eax,eax
6e203561 40              inc     eax
6e203562 66d3e0          shl     ax,cl
6e203565 668982aa410000  mov     word ptr [edx+41AAh],ax
6e20356c 40              inc     eax
6e20356d 668982ac410000  mov     word ptr [edx+41ACh],ax
6e203574 40              inc     eax
6e203575 668982a0410000  mov     word ptr [edx+41A0h],ax
6e20357c 33c9            xor     ecx,ecx
6e20357e 0fb7c1          movzx   eax,cx
6e203581 83ceff          or      esi,0FFFFFFFFh
6e203584 66898c82a0010000 mov     word ptr [edx+eax*4+1A0h],cx
6e20358c 41              inc     ecx
6e20358d 6689b482a2010000 mov     word ptr [edx+eax*4+1A2h],si
6e203595 663b8aac410000  cmp     cx,word ptr [edx+41ACh]
6e20359c 76e0            jbe     2d!E3DLLFunc+0x16c0 (6e20357e)
6e20359e 5e              pop     esi
6e20359f c3              ret
6e2035a0 83a1bc41000000  and     dword ptr [ecx+41BCh],0
6e2035a7 33c0            xor     eax,eax
6e2035a9 668981b8410000  mov     word ptr [ecx+41B8h],ax
6e2035b0 e98cffffff      jmp     2d!E3DLLFunc+0x1683 (6e203541)
6e2035b5 56              push    esi
6e2035b6 8bf1            mov     esi,ecx
6e2035b8 eb11            jmp     2d!E3DLLFunc+0x170d (6e2035cb)
6e2035ba 8b4e04          mov     ecx,dword ptr [esi+4]
6e2035bd 6a01            push    1
6e2035bf 0fb6c0          movzx   eax,al
6e2035c2 50              push    eax
6e2035c3 8b11            mov     edx,dword ptr [ecx]
6e2035c5 51              push    ecx
6e2035c6 ff5228          call    dword ptr [edx+28h]
6e2035c9 8bce            mov     ecx,esi
6e2035cb e809030000      call    2d!E3DLLFunc+0x1a1b (6e2038d9)
6e2035d0 84c0            test    al,al
6e2035d2 75e6            jne     2d!E3DLLFunc+0x16fc (6e2035ba)
6e2035d4 5e              pop     esi
6e2035d5 c3              ret
6e2035d6 55              push    ebp
6e2035d7 8bec            mov     ebp,esp
6e2035d9 b804100000      mov     eax,1004h
6e2035de e83dfa0500      call    2d!zlibVersion+0x2210 (6e263020)
6e2035e3 a12436296e      mov     eax,dword ptr [2d!zlibVersion+0x32814 (6e293624)]
6e2035e8 33c5            xor     eax,ebp
6e2035ea 8945fc          mov     dword ptr [ebp-4],eax
6e2035ed 53              push    ebx
6e2035ee 8a5d0c          mov     bl,byte ptr [ebp+0Ch]
6e2035f1 660fbec3        movsx   ax,bl
6e2035f5 56              push    esi
6e2035f6 57              push    edi
6e2035f7 0fb7f0          movzx   esi,ax
6e2035fa 8bf9            mov     edi,ecx
6e2035fc 8b4508          mov     eax,dword ptr [ebp+8]
6e2035ff 0fb7c0          movzx   eax,ax
6e203602 46              inc     esi
6e203603 b9ff0f0000      mov     ecx,0FFFh
6e203608 663bf1          cmp     si,cx
6e20360b 7323            jae     2d!E3DLLFunc+0x1772 (6e203630)
6e20360d 0fbfd0          movsx   edx,ax
6e203610 0fb7ce          movzx   ecx,si
2d!E3DLLFunc+0x1755:
6e203613 8a8497a0010000  mov     al,byte ptr [edi+edx*4+1A0h] // current instruction
6e20361a 88840dfcefffff  mov     byte ptr [ebp+ecx-1004h],al
6e203621 0fb78497a2010000 movzx   eax,word ptr [edi+edx*4+1A2h]
6e203629 6685c0          test    ax,ax
6e20362c 79d4            jns     2d!E3DLLFunc+0x1744 (6e203602)
6e20362e eb06            jmp     2d!E3DLLFunc+0x1778 (6e203636)
6e203630 81c6ffff0000    add     esi,0FFFFh
6e203636 0fb7c6          movzx   eax,si
6e203639 8a9405fcefffff  mov     dl,byte ptr [ebp+eax-1004h]
6e203640 0fb787a0410000  movzx   eax,word ptr [edi+41A0h]
6e203647 0fb6ca          movzx   ecx,dl
6e20364a 66898c87a0010000 mov     word ptr [edi+eax*4+1A0h],cx
6e203652 0fb78fa0410000  movzx   ecx,word ptr [edi+41A0h]
6e203659 668b87a8410000  mov     ax,word ptr [edi+41A8h]
6e203660 6689848fa2010000 mov     word ptr [edi+ecx*4+1A2h],ax
6e203668 66ff87a0410000  inc     word ptr [edi+41A0h]
6e20366f 80fb01          cmp     bl,1
6e203672 0fb68dfdefffff  movzx   ecx,byte ptr [ebp-1003h]
6e203679 0fb6c2          movzx   eax,dl
6e20367c 0f44c8          cmove   ecx,eax
6e20367f 888dfdefffff    mov     byte ptr [ebp-1003h],cl
6e203685 0fb7c6          movzx   eax,si
6e203688 8bcf            mov     ecx,edi
6e20368a 0fb68405fcefffff movzx   eax,byte ptr [ebp+eax-1004h]
6e203692 50              push    eax
6e203693 e87f000000      call    2d!E3DLLFunc+0x1859 (6e203717) 

PoC

attached


Attachments:
golden_boy.u3d

References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html