Information

Out of bound read in Windows.Data.Pdf.dll module.

Crash Dump:

Stack

Windows.Data.Pdf.dll!CTile::_DecodePacket + 0x20C (id: 032)
Windows.Data.Pdf.dll!CTile::Decode + 0x77F (id: 6f5)
Windows.Data.Pdf.dll!CCodeStreamDecoder::Decode + 0x1AB
Windows.Data.Pdf.dll!JPXDecoder::Decode + 0x110
Windows.Data.Pdf.dll!PDF::CJPXDecoderByteStream::_Decode + 0xDF
Windows.Data.Pdf.dll!PDF::CJPXDecoderByteStream::DecodeData + 0x11

Registers

eax=00000000 ebx=07c62ee0 ecx=00000000 edx=00008d40 esi=0b456f90 edi=00000000
eip=6f065f2a esp=005ef210 ebp=005ef26c iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010283
fpcw=027F: rn 53 puozdi  fpsw=0120: top=0 cc=0001 --p-----  fptw=FFFF
fopcode=0000  fpip=0000:74f7aa37  fpdp=0000:005ef260
st0= 0.000000000000000000000e+0000  st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000  st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000  st5= 0.000000000000000000000e+0000
st6= 1.000000000000000000000e+0000  st7= 0.000000000000000000000e+0000
mm0=0000000000000000  mm1=0000000000000000
mm2=0000000000000000  mm3=0000000000000000
mm4=0000000000000000  mm5=0000000000000000
mm6=8000000000000000  mm7=0000000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=2.09937e-013 -1.23136e+020 6.64739e-009 -6.21747e-012
xmm7=0 0 0 1.4013e-045
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
Windows_Data_Pdf!CTile::_DecodePacket+0x20c:
6f065f2a 890491          mov     dword ptr [ecx+edx*4],eax ds:002b:00023500=???????? 

Disassembly of stack frame 1 at Windows.Data.Pdf.dll!CTile::_DecodePacket + 0x20C

6f065e62 ff7514          push    dword ptr [ebp+14h]
6f065e65 8bcb            mov     ecx,ebx
6f065e67 50              push    eax
6f065e68 ff7510          push    dword ptr [ebp+10h]
6f065e6b 57              push    edi
6f065e6c e846030000      call    Windows_Data_Pdf!CTile::_GetTagTreeData (6f0661b7)
6f065e71 8bf8            mov     edi,eax
6f065e73 897dc8          mov     dword ptr [ebp-38h],edi
6f065e76 807f2000        cmp     byte ptr [edi+20h],0
6f065e7a 0f8419010000    je      Windows_Data_Pdf!CTile::_DecodePacket+0x27b (6f065f99)
6f065e80 33c0            xor     eax,eax
6f065e82 33c9            xor     ecx,ecx
6f065e84 894de8          mov     dword ptr [ebp-18h],ecx
6f065e87 8945d8          mov     dword ptr [ebp-28h],eax
6f065e8a 39471c          cmp     dword ptr [edi+1Ch],eax
6f065e8d 0f8606010000    jbe     Windows_Data_Pdf!CTile::_DecodePacket+0x27b (6f065f99)
6f065e93 33f6            xor     esi,esi
6f065e95 8975ec          mov     dword ptr [ebp-14h],esi
6f065e98 397718          cmp     dword ptr [edi+18h],esi
6f065e9b 0f86e8000000    jbe     Windows_Data_Pdf!CTile::_DecodePacket+0x26b (6f065f89)
6f065ea1 8b4724          mov     eax,dword ptr [edi+24h]
6f065ea4 8bd1            mov     edx,ecx
6f065ea6 c1e202          shl     edx,2
6f065ea9 03c2            add     eax,edx
6f065eab 8955c4          mov     dword ptr [ebp-3Ch],edx
6f065eae 8945dc          mov     dword ptr [ebp-24h],eax
6f065eb1 833800          cmp     dword ptr [eax],0
6f065eb4 0f84bb000000    je      Windows_Data_Pdf!CTile::_DecodePacket+0x257 (6f065f75)
6f065eba 8b08            mov     ecx,dword ptr [eax]
6f065ebc e8614a0000      call    Windows_Data_Pdf!CCodeBlock::Decode (6f06a922)
6f065ec1 8b45dc          mov     eax,dword ptr [ebp-24h]
6f065ec4 8b9300010000    mov     edx,dword ptr [ebx+100h]
6f065eca 8b08            mov     ecx,dword ptr [eax]
6f065ecc 894de0          mov     dword ptr [ebp-20h],ecx
6f065ecf 8b4110          mov     eax,dword ptr [ecx+10h]
6f065ed2 0faf5104        imul    edx,dword ptr [ecx+4]
6f065ed6 8945dc          mov     dword ptr [ebp-24h],eax
6f065ed9 6b45100c        imul    eax,dword ptr [ebp+10h],0Ch
6f065edd 0311            add     edx,dword ptr [ecx]
6f065edf 33c9            xor     ecx,ecx
6f065ee1 214dd0          and     dword ptr [ebp-30h],ecx
6f065ee4 038308010000    add     eax,dword ptr [ebx+108h]
6f065eea 8945cc          mov     dword ptr [ebp-34h],eax
6f065eed 8b45e0          mov     eax,dword ptr [ebp-20h]
6f065ef0 894df0          mov     dword ptr [ebp-10h],ecx
6f065ef3 8b7028          mov     esi,dword ptr [eax+28h]
6f065ef6 8b402c          mov     eax,dword ptr [eax+2Ch]
6f065ef9 2bc6            sub     eax,esi
6f065efb 8b75ec          mov     esi,dword ptr [ebp-14h]
6f065efe c1f802          sar     eax,2
6f065f01 85c0            test    eax,eax
6f065f03 7444            je      Windows_Data_Pdf!CTile::_DecodePacket+0x22b (6f065f49)
6f065f05 8b7dd0          mov     edi,dword ptr [ebp-30h]
6f065f08 8b75e0          mov     esi,dword ptr [ebp-20h]
6f065f0b 3b4ddc          cmp     ecx,dword ptr [ebp-24h]
6f065f0e 750f            jne     Windows_Data_Pdf!CTile::_DecodePacket+0x201 (6f065f1f)
6f065f10 8b8300010000    mov     eax,dword ptr [ebx+100h]
6f065f16 2b45dc          sub     eax,dword ptr [ebp-24h]
6f065f19 03d0            add     edx,eax
6f065f1b 8365f000        and     dword ptr [ebp-10h],0
6f065f1f 8b45cc          mov     eax,dword ptr [ebp-34h]
6f065f22 8b08            mov     ecx,dword ptr [eax]
6f065f24 8b4628          mov     eax,dword ptr [esi+28h]
6f065f27 8b04b8          mov     eax,dword ptr [eax+edi*4]
Windows_Data_Pdf!CTile::_DecodePacket+0x20c:
6f065f2a 890491          mov     dword ptr [ecx+edx*4],eax // current instruction
6f065f2d 42              inc     edx
6f065f2e 8b462c          mov     eax,dword ptr [esi+2Ch]
6f065f31 47              inc     edi
6f065f32 2b4628          sub     eax,dword ptr [esi+28h]
6f065f35 8b4df0          mov     ecx,dword ptr [ebp-10h]
6f065f38 41              inc     ecx
6f065f39 c1f802          sar     eax,2
6f065f3c 894df0          mov     dword ptr [ebp-10h],ecx
6f065f3f 3bf8            cmp     edi,eax
6f065f41 72c8            jb      Windows_Data_Pdf!CTile::_DecodePacket+0x1ed (6f065f0b)
6f065f43 8b7dc8          mov     edi,dword ptr [ebp-38h]
6f065f46 8b75ec          mov     esi,dword ptr [ebp-14h]
6f065f49 8b4724          mov     eax,dword ptr [edi+24h]
6f065f4c 0345c4          add     eax,dword ptr [ebp-3Ch]
6f065f4f 8945cc          mov     dword ptr [ebp-34h],eax
6f065f52 8b00            mov     eax,dword ptr [eax]
6f065f54 8945c4          mov     dword ptr [ebp-3Ch],eax
6f065f57 85c0            test    eax,eax
6f065f59 7417            je      Windows_Data_Pdf!CTile::_DecodePacket+0x254 (6f065f72)
6f065f5b 8bc8            mov     ecx,eax
6f065f5d e8b772ffff      call    Windows_Data_Pdf!CCodeBlock::~CCodeBlock (6f05d219)
6f065f62 ff75c4          push    dword ptr [ebp-3Ch]
6f065f65 ff15e477206f    call    dword ptr [Windows_Data_Pdf!_imp_??3YAXPAXZ (6f2077e4)]
6f065f6b 8b45cc          mov     eax,dword ptr [ebp-34h]
6f065f6e 59              pop     ecx
6f065f6f 832000          and     dword ptr [eax],0
6f065f72 8b4de8          mov     ecx,dword ptr [ebp-18h]
6f065f75 46              inc     esi
6f065f76 41              inc     ecx
6f065f77 8975ec          mov     dword ptr [ebp-14h],esi
6f065f7a 894de8          mov     dword ptr [ebp-18h],ecx 

PoC

attached


Attachments:
AVW@0x00023500@CTile_DecodePacket1.pdf

References:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8464