CVE-2018-15935

verifier.dll!VerifierBreakin + 0x42 (this frame is irrelevant to this bug)
verifier.dll!VerifierCaptureContextAndReportStop + 0xF0 (this frame is irrelevant to this bug)
verifier.dll!VerifierStopMessage + 0x2C7 (this frame is irrelevant to this bug)
verifier.dll!AVrfpDphReportCorruptedBlock + 0x2FC (this frame is irrelevant to this bug)
verifier.dll!AVrfpDphCheckNormalHeapBlock + 0x11A (this frame is irrelevant to this bug)
verifier.dll!AVrfpDphNormalHeapFree + 0x22 (this frame is irrelevant to this bug)
verifier.dll!AVrfDebugPageHeapFree + 0xE3 (this frame is irrelevant to this bug)
ntdll.dll!RtlDebugFreeHeap + 0x3E (this frame is irrelevant to this bug)
ntdll.dll!RtlpFreeHeap + 0xD5 (this frame is irrelevant to this bug)
ntdll.dll!RtlFreeHeap + 0x222 (this frame is irrelevant to this bug)
MSVCR120.dll!free + 0x1A (id: aa2) [[f:\dd\vctools\crt\crtw32\heap\free.c @ 51]]
2d.x3d + 0x408A (id: 82d, no function symbol available)
2d.x3d + 0x28B2 (no function symbol available)
rt3d.dll + 0x1076DD (no function symbol available)
rt3d.dll + 0xCACC7 (no function symbol available)
rt3d.dll!GetPicture + 0x2E

744aec7d ec              in      al,dx
744aec7e 4a              dec     edx
744aec7f 7451            je      MSVCR120!type_info::`RTTI Base Class Descriptor at (0,-1,0,64)'+0xe (744aecd2)
744aec81 c70194ec4a74    mov     dword ptr [ecx],offset MSVCR120!type_info::`vftable' (744aec94)
744aec87 e8f8f70800      call    MSVCR120!type_info::_Type_info_dtor_internal (7453e484)
744aec8c 59              pop     ecx
744aec8d c3              ret
MSVCR120!type_info::operator== [f:\dd\vctools\crt\crtw32\eh\typinfo.cpp @ 72]:
744aec8e 90              nop
744aec8f 90              nop
744aec90 98              cwde
744aec91 ec              in      al,dx
744aec92 4a              dec     edx
744aec93 7434            je      MSVCR120!type_info::`RTTI Base Class Descriptor at (0,-1,0,64)'+0x5 (744aecc9)
744aec95 de5374          ficom   word ptr [ebx+74h]
MSVCR120!type_info::`RTTI Complete Object Locator':
744aec98 0000            add     byte ptr [eax],al
744aec9a 0000            add     byte ptr [eax],al
744aec9c 0000            add     byte ptr [eax],al
744aec9e 0000            add     byte ptr [eax],al
744aeca0 0000            add     byte ptr [eax],al
744aeca2 0000            add     byte ptr [eax],al
744aeca4 d8f5            fdiv    st,st(5)
744aeca6 57              push    edi
744aeca7 74ac            je      MSVCR120!std::__non_rtti_object::`RTTI Base Class Array'+0x1 (744aec55)
744aeca9 ec              in      al,dx
744aecaa 4a              dec     edx
744aecab 7400            je      MSVCR120!type_info::`RTTI Class Hierarchy Descriptor'+0x1 (744aecad)
744aecad 0000            add     byte ptr [eax],al
744aecaf 0000            add     byte ptr [eax],al
744aecb1 0000            add     byte ptr [eax],al
744aecb3 0001            add     byte ptr [ecx],al
744aecb5 0000            add     byte ptr [eax],al
744aecb7 00bcec4a74c4ec  add     byte ptr [esp+ebp*8-133B8BB6h],bh
744aecbe 4a              dec     edx
744aecbf 7400            je      MSVCR120!type_info::`RTTI Base Class Array'+0x5 (744aecc1)
744aecc1 90              nop
744aecc2 90              nop
744aecc3 90              nop
MSVCR120!type_info::`RTTI Base Class Descriptor at (0,-1,0,64)':
744aecc4 d8f5            fdiv    st,st(5)
744aecc6 57              push    edi
744aecc7 7400            je      MSVCR120!type_info::`RTTI Base Class Descriptor at (0,-1,0,64)'+0x5 (744aecc9)
744aecc9 0000            add     byte ptr [eax],al
744aeccb 0000            add     byte ptr [eax],al
744aeccd 0000            add     byte ptr [eax],al
744aeccf 00ff            add     bh,bh
744aecd1 ff              ???
744aecd2 ff              ???
744aecd3 ff00            inc     dword ptr [eax]
744aecd5 0000            add     byte ptr [eax],al
744aecd7 004000          add     byte ptr [eax],al
744aecda 0000            add     byte ptr [eax],al
744aecdc ac              lods    byte ptr [esi]
744aecdd ec              in      al,dx
744aecde 4a              dec     edx
744aecdf 7455            je      MSVCR120!malloc+0x6 (744aed36)
744aece1 8bec            mov     ebp,esp
744aece3 837d0800        cmp     dword ptr [ebp+8],0
744aece7 7419            je      MSVCR120!free+0x36 (744aed02)
744aece9 ff7508          push    dword ptr [ebp+8]
744aecec 6a00            push    0
744aecee ff35b0f75774    push    dword ptr [MSVCR120!_crtheap (7457f7b0)]
744aecf4 ff15e4515874    call    dword ptr [MSVCR120!_imp__HeapFree (745851e4)] // call
MSVCR120!free+0x1a [f:\dd\vctools\crt\crtw32\heap\free.c @ 51]:
744aecfa 85c0            test    eax,eax // return address
744aecfc 0f8469ed0400    je      MSVCR120!free+0x1e (744fda6b)
744aed02 5d              pop     ebp
744aed03 c3              ret
MSVCR120!malloc [f:\dd\vctools\crt\crtw32\heap\malloc.c @ 84]:
744aed04 90              nop
744aed05 90              nop
744aed06 90              nop
744aed07 90              nop
744aed08 90              nop
744aed09 90              nop
744aed0a 90              nop
744aed0b 90              nop
744aed0c 90              nop
744aed0d 90              nop
744aed0e 90              nop
744aed0f 90              nop
MSVCR120!__crtFlsGetValue [f:\dd\vctools\crt\crtw32\misc\winapisupp.c @ 415]:
744aed10 55              push    ebp
744aed11 8bec            mov     ebp,esp
744aed13 a108fa5774      mov     eax,dword ptr [MSVCR120!encodedKERNEL32Functions+0x8 (7457fa08)]
744aed18 3305b8f75774    xor     eax,dword ptr [MSVCR120!__security_cookie (7457f7b8)]
744aed1e ff7508          push    dword ptr [ebp+8]
744aed21 0f844e040500    je      MSVCR120!__crtFlsGetValue+0x17 (744ff175)
744aed27 ffd0            call    eax
744aed29 5d              pop     ebp
744aed2a c3              ret
744aed2b 90              nop
744aed2c 90              nop
744aed2d 90              nop
744aed2e 90              nop
744aed2f 90              nop