Information

Out of bound read due to malformed JBIG2 stream while being parsed in Acrobat.dll.

Crash Dump:

Stack

Acrobat.dll + 0x65BF3F (id: 2ba, no function symbol available)
Acrobat.dll + 0x65BD9E (id: f53, no function symbol available)
Acrobat.dll + 0x660BE4 (no function symbol available)
Acrobat.dll + 0x62DE5C (no function symbol available)

Registers

eax=00000002 ebx=0936cff8 ecx=0937cfe0 edx=80000007 esi=00000020 edi=00000004
eip=6065bf3f esp=012ffa8c ebp=012ffa98 iopl=0         ov up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010a83
fpcw=027F: rn 53 puozdi  fpsw=0021: top=0 cc=0000 --p----i  fptw=FFFF
fopcode=0000  fpip=0000:741a28bb  fpdp=0000:741ef398
st0= 0.000000000000000000000e+0000  st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000  st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000  st5= 0.000000000000000000000e+0000
st6= 1.000000000000000000000e+0000  st7= 1.107148717794090502970e+0000
mm0=0000000000000000  mm1=0000000000000000
mm2=0000000000000000  mm3=0000000000000000
mm4=0000000000000000  mm5=0000000000000000
mm6=8000000000000000  mm7=8db70c975df22363
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=3.71383e+016 -27141.7 -7.73639e-014 3.19093e-031
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
Acrobat!CTJPEGWarningHandler::operator=+0x1a8ef:
6065bf3f 89749104        mov     dword ptr [ecx+edx*4+4],esi ds:002b:0937d000=???????? 

Disassembly of stack frame 1 at Acrobat.dll + 0x65BF3F

6065be91 5b              pop     ebx
6065be92 5e              pop     esi
6065be93 8be5            mov     esp,ebp
6065be95 5d              pop     ebp
6065be96 c3              ret
6065be97 33c0            xor     eax,eax
6065be99 5f              pop     edi
6065be9a 5b              pop     ebx
6065be9b 5e              pop     esi
6065be9c 8be5            mov     esp,ebp
6065be9e 5d              pop     ebp
6065be9f c3              ret
6065bea0 55              push    ebp
6065bea1 8bec            mov     ebp,esp
6065bea3 8a4d10          mov     cl,byte ptr [ebp+10h]
6065bea6 33c0            xor     eax,eax
6065bea8 56              push    esi
6065bea9 be01000000      mov     esi,1
6065beae d3e6            shl     esi,cl
6065beb0 897510          mov     dword ptr [ebp+10h],esi
6065beb3 57              push    edi
6065beb4 85f6            test    esi,esi
6065beb6 7418            je      Acrobat!CTJPEGWarningHandler::operator=+0x1a880 (6065bed0)
6065beb8 8b4d2c          mov     ecx,dword ptr [ebp+2Ch]
6065bebb 8bd6            mov     edx,esi
6065bebd 8d4900          lea     ecx,[ecx]
6065bec0 33ff            xor     edi,edi
6065bec2 8d491c          lea     ecx,[ecx+1Ch]
6065bec5 668979e4        mov     word ptr [ecx-1Ch],di
6065bec9 668979f2        mov     word ptr [ecx-0Eh],di
6065becd 4a              dec     edx
6065bece 75f0            jne     Acrobat!CTJPEGWarningHandler::operator=+0x1a870 (6065bec0)
6065bed0 8b7d28          mov     edi,dword ptr [ebp+28h]
6065bed3 ba01000000      mov     edx,1
6065bed8 85ff            test    edi,edi
6065beda 0f8410010000    je      Acrobat!CTJPEGWarningHandler::operator=+0x1a9a0 (6065bff0)
6065bee0 53              push    ebx
6065bee1 8b5d0c          mov     ebx,dword ptr [ebp+0Ch]
6065bee4 803c1800        cmp     byte ptr [eax+ebx],0
6065bee8 7511            jne     Acrobat!CTJPEGWarningHandler::operator=+0x1a8ab (6065befb)
6065beea 8d9b00000000    lea     ebx,[ebx]
6065bef0 3bc7            cmp     eax,edi
6065bef2 7309            jae     Acrobat!CTJPEGWarningHandler::operator=+0x1a8ad (6065befd)
6065bef4 40              inc     eax
6065bef5 803c1800        cmp     byte ptr [eax+ebx],0
6065bef9 74f5            je      Acrobat!CTJPEGWarningHandler::operator=+0x1a8a0 (6065bef0)
6065befb 3bc7            cmp     eax,edi
6065befd 0f84e7000000    je      Acrobat!CTJPEGWarningHandler::operator=+0x1a99a (6065bfea)
6065bf03 8b5508          mov     edx,dword ptr [ebp+8]
6065bf06 8b1482          mov     edx,dword ptr [edx+eax*4]
6065bf09 3bd6            cmp     edx,esi
6065bf0b 0f8d06010000    jge     Acrobat!CTJPEGWarningHandler::operator=+0x1a9c7 (6065c017)
6065bf11 8d0cd500000000  lea     ecx,[edx*8]
6065bf18 be01000000      mov     esi,1
6065bf1d 2bca            sub     ecx,edx
6065bf1f 8b552c          mov     edx,dword ptr [ebp+2Ch]
6065bf22 6689348a        mov     word ptr [edx+ecx*4],si
6065bf26 8b4d14          mov     ecx,dword ptr [ebp+14h]
6065bf29 0fb63408        movzx   esi,byte ptr [eax+ecx]
6065bf2d 8b4d08          mov     ecx,dword ptr [ebp+8]
6065bf30 8b0c81          mov     ecx,dword ptr [ecx+eax*4]
6065bf33 8d14cd00000000  lea     edx,[ecx*8]
6065bf3a 2bd1            sub     edx,ecx
6065bf3c 8b4d2c          mov     ecx,dword ptr [ebp+2Ch]
Acrobat!CTJPEGWarningHandler::operator=+0x1a8ef:
6065bf3f 89749104        mov     dword ptr [ecx+edx*4+4],esi // current instruction
6065bf43 8b4d08          mov     ecx,dword ptr [ebp+8]
6065bf46 8b752c          mov     esi,dword ptr [ebp+2Ch]
6065bf49 8b0c81          mov     ecx,dword ptr [ecx+eax*4]
6065bf4c 8d14cd00000000  lea     edx,[ecx*8]
6065bf53 2bd1            sub     edx,ecx
6065bf55 8b4d18          mov     ecx,dword ptr [ebp+18h]
6065bf58 8b0c81          mov     ecx,dword ptr [ecx+eax*4]
6065bf5b 894c9608        mov     dword ptr [esi+edx*4+8],ecx
6065bf5f 8b4d08          mov     ecx,dword ptr [ebp+8]
6065bf62 8b0c81          mov     ecx,dword ptr [ecx+eax*4]
6065bf65 8d14cd00000000  lea     edx,[ecx*8]
6065bf6c 2bd1            sub     edx,ecx
6065bf6e 8b4d08          mov     ecx,dword ptr [ebp+8]
6065bf71 89449610        mov     dword ptr [esi+edx*4+10h],eax
6065bf75 8b0c81          mov     ecx,dword ptr [ecx+eax*4]
6065bf78 8d14cd00000000  lea     edx,[ecx*8]
6065bf7f 2bd1            sub     edx,ecx
6065bf81 8b4d08          mov     ecx,dword ptr [ebp+8]
6065bf84 89449614        mov     dword ptr [esi+edx*4+14h],eax
6065bf88 8b0c81          mov     ecx,dword ptr [ecx+eax*4]
6065bf8b 0fb63418        movzx   esi,byte ptr [eax+ebx]
6065bf8f 8d14cd00000000  lea     edx,[ecx*8]
6065bf96 2bd1            sub     edx,ecx
6065bf98 8b4d2c          mov     ecx,dword ptr [ebp+2Ch]
6065bf9b 89749118        mov     dword ptr [ecx+edx*4+18h],esi
6065bf9f 33f6            xor     esi,esi
6065bfa1 8b4d08          mov     ecx,dword ptr [ebp+8]
6065bfa4 8b0c81          mov     ecx,dword ptr [ecx+eax*4]
6065bfa7 8d14cd00000000  lea     edx,[ecx*8]
6065bfae 2bd1            sub     edx,ecx
6065bfb0 8b4d2c          mov     ecx,dword ptr [ebp+2Ch] 

PoC

attached


Attachments:
OOBW[0x1C]@0x65BF3F.pdf

References:
https://helpx.adobe.com/il_en/security/products/acrobat/apsb18-30.html