Information

Out of bound write due to malformed GIF while being parsed in 2d.x3d

Crash Dump:

Stack

2d.x3d + 0x377A (id: 872, no function symbol available)
2d.x3d + 0x3698 (id: 477, no function symbol available)
2d.x3d + 0x3F00 (no function symbol available)
2d.x3d + 0x28B2 (no function symbol available)
rt3d.dll + 0x1076DD (no function symbol available)
rt3d.dll + 0xCACC7 (no function symbol available)
rt3d.dll!GetPicture + 0x2E

Registers

eax=00000000 ebx=00000000 ecx=00000007 edx=d0d0d0d0 esi=00000000 edi=003db118
eip=6e20377a esp=003da0c0 ebp=003da0d0 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
fpcw=027F: rn 53 puozdi  fpsw=4020: top=0 cc=1000 --p-----  fptw=FFFF
fopcode=0000  fpip=0000:6e4e5d0c  fpdp=0000:00000000
st0= 0.000000000000000000000e+0000  st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000  st3= 5.300000000000000000000e+0001
st4= 5.000000000000000000000e+0000  st5= 4.800000000000000000000e+0001
st6= 1.000000000000000000000e+0000  st7= 0.000000000000000000000e+0000
mm0=0000000000000000  mm1=0000000000000000
mm2=0000000000000000  mm3=d400000000000000
mm4=a000000000000000  mm5=c000000000000000
mm6=8000000000000000  mm7=0000000000000000
xmm0=0 0 1.75 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0.0213317 4.23622e-037 0.0252379 4.23622e-037
xmm7=0.0213317 4.23622e-037 0.0138976 7.51864e+029
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
2d!E3DLLFunc+0x18bc:
6e20377a 300432          xor     byte ptr [edx+esi],al      ds:002b:d0d0d0d0=?? 

Disassembly of stack frame 1 at 2d.x3d + 0x377A

6e2036b8 83f808          cmp     eax,8
6e2036bb 7441            je      2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036bd 83f810          cmp     eax,10h
6e2036c0 743c            je      2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036c2 83f820          cmp     eax,20h
6e2036c5 7437            je      2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036c7 83f840          cmp     eax,40h
6e2036ca 7432            je      2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036cc b980000000      mov     ecx,80h
6e2036d1 663bc1          cmp     ax,cx
6e2036d4 7428            je      2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036d6 b900010000      mov     ecx,100h
6e2036db 663bc1          cmp     ax,cx
6e2036de 741e            je      2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036e0 b900020000      mov     ecx,200h
6e2036e5 663bc1          cmp     ax,cx
6e2036e8 7414            je      2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036ea b900040000      mov     ecx,400h
6e2036ef 663bc1          cmp     ax,cx
6e2036f2 740a            je      2d!E3DLLFunc+0x1840 (6e2036fe)
6e2036f4 b900080000      mov     ecx,800h
6e2036f9 663bc1          cmp     ax,cx
6e2036fc 7506            jne     2d!E3DLLFunc+0x1846 (6e203704)
6e2036fe fe8794010000    inc     byte ptr [edi+194h]
6e203704 8b4dfc          mov     ecx,dword ptr [ebp-4]
6e203707 5f              pop     edi
6e203708 5e              pop     esi
6e203709 33cd            xor     ecx,ebp
6e20370b 5b              pop     ebx
6e20370c e847f80500      call    2d!zlibVersion+0x2148 (6e262f58)
6e203711 8be5            mov     esp,ebp
6e203713 5d              pop     ebp
6e203714 c20800          ret     8
6e203717 55              push    ebp
6e203718 8bec            mov     ebp,esp
6e20371a 53              push    ebx
6e20371b 56              push    esi
6e20371c 57              push    edi
6e20371d 8bf9            mov     edi,ecx
6e20371f 6a08            push    8
6e203721 5e              pop     esi
6e203722 8a9f93000000    mov     bl,byte ptr [edi+93h]
6e203728 84db            test    bl,bl
6e20372a 750e            jne     2d!E3DLLFunc+0x187c (6e20373a)
6e20372c 8a8792000000    mov     al,byte ptr [edi+92h]
6e203732 888793000000    mov     byte ptr [edi+93h],al
6e203738 eb14            jmp     2d!E3DLLFunc+0x1890 (6e20374e)
6e20373a 0fb68fa6410000  movzx   ecx,byte ptr [edi+41A6h]
6e203741 8bc6            mov     eax,esi
6e203743 99              cdq
6e203744 f7f9            idiv    eax,ecx
6e203746 2ad8            sub     bl,al
6e203748 889f93000000    mov     byte ptr [edi+93h],bl
6e20374e 0fb787a4410000  movzx   eax,word ptr [edi+41A4h]
6e203755 663b4754        cmp     ax,word ptr [edi+54h]
6e203759 7723            ja      2d!E3DLLFunc+0x18c0 (6e20377e)
6e20375b 0fb7b7a2410000  movzx   esi,word ptr [edi+41A2h]
6e203762 8bc8            mov     ecx,eax
6e203764 8b8788000000    mov     eax,dword ptr [edi+88h]
6e20376a 6a08            push    8
6e20376c 8b1488          mov     edx,dword ptr [eax+ecx*4]
6e20376f 8a8f93000000    mov     cl,byte ptr [edi+93h]
6e203775 8b4508          mov     eax,dword ptr [ebp+8]
6e203778 d2e0            shl     al,cl
2d!E3DLLFunc+0x18bc:
6e20377a 300432          xor     byte ptr [edx+esi],al // current instruction
6e20377d 5e              pop     esi
6e20377e 80bf9300000000  cmp     byte ptr [edi+93h],0
6e203785 7507            jne     2d!E3DLLFunc+0x18d0 (6e20378e)
6e203787 66ff87a2410000  inc     word ptr [edi+41A2h]
6e20378e 668b0df836296e  mov     cx,word ptr [2d!zlibVersion+0x328e8 (6e2936f8)]
6e203795 0fb7c1          movzx   eax,cx
6e203798 3b4750          cmp     eax,dword ptr [edi+50h]
6e20379b 0f8cbc000000    jl      2d!E3DLLFunc+0x199f (6e20385d)
6e2037a1 33c0            xor     eax,eax
6e2037a3 33db            xor     ebx,ebx
6e2037a5 668987a2410000  mov     word ptr [edi+41A2h],ax
6e2037ac 40              inc     eax
6e2037ad 66a3f836296e    mov     word ptr [2d!zlibVersion+0x328e8 (6e2936f8)],ax
6e2037b3 889f93000000    mov     byte ptr [edi+93h],bl
6e2037b9 f605fc36296e40  test    byte ptr [2d!zlibVersion+0x328ec (6e2936fc)],40h
6e2037c0 746e            je      2d!E3DLLFunc+0x1972 (6e203830)
6e2037c2 8a8f94000000    mov     cl,byte ptr [edi+94h]
6e2037c8 0fb6c1          movzx   eax,cl
6e2037cb 48              dec     eax
6e2037cc 7425            je      2d!E3DLLFunc+0x1935 (6e2037f3)
6e2037ce 48              dec     eax
6e2037cf 7415            je      2d!E3DLLFunc+0x1928 (6e2037e6)
6e2037d1 48              dec     eax
6e2037d2 48              dec     eax
6e2037d3 7405            je      2d!E3DLLFunc+0x191c (6e2037da)
6e2037d5 83e804          sub     eax,4
6e2037d8 7527            jne     2d!E3DLLFunc+0x1943 (6e203801)
6e2037da 668b87a4410000  mov     ax,word ptr [edi+41A4h]
6e2037e1 662bc6          sub     ax,si
6e2037e4 eb18            jmp     2d!E3DLLFunc+0x1940 (6e2037fe)
6e2037e6 668b87a4410000  mov     ax,word ptr [edi+41A4h] 

PoC

attached


Attachments:
golden_boy.u3d

References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html