Jump to content

Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream


This CHT

Recommended Posts

We have observed the following crash in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:

--- cut ---
VERIFIER STOP 00000007: pid 0x2C1C: Heap block already freed. 

	0C441000 : Heap handle for the heap owning the block.
	147E6638 : Heap block being freed again.
	00000010 : Size of the heap block.
	00000000 : Not used

This verifier stop is not continuable. Process will be terminated 
when you use the `go' debugger command.


(2c1c.491c): Break instruction exception - code 80000003 (first chance)
eax=66e603a0 ebx=00000000 ecx=000001a1 edx=0536c661 esi=66e5dd88 edi=0c441000
eip=66e53ae6 esp=0536c948 ebp=0536cb5c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
66e53ae6 cc              int     3

0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 0536cb5c 66e58038 66e5d258 00000007 0c441000 vrfcore!VerifierStopMessageEx+0x5b6
01 0536cb80 66d6da5e 00000007 66d61cbc 0c441000 vrfcore!VfCoreRedirectedStopMessage+0x88
02 0536cbd8 66d6b8a8 00000007 66d61cbc 0c441000 verifier!VerifierStopMessage+0x8e
03 0536cc44 66d6bdea 0c441000 00000004 147e6638 verifier!AVrfpDphReportCorruptedBlock+0x1b8
04 0536cca0 66d6c302 0c441000 147e6638 00000004 verifier!AVrfpDphCheckNormalHeapBlock+0x11a
05 0536ccc0 66d6ab43 0c441000 0c640000 01000002 verifier!AVrfpDphNormalHeapFree+0x22
06 0536cce4 77305359 0c440000 01000002 147e6638 verifier!AVrfDebugPageHeapFree+0xe3
07 0536cd54 7725ad86 147e6638 ab70558b 00000000 ntdll!RtlDebugFreeHeap+0x3c
08 0536ceb0 7725ac3d 00000000 147e6638 00000000 ntdll!RtlpFreeHeap+0xd6
09 0536cf04 66e5aad0 0c440000 00000000 147e6638 ntdll!RtlFreeHeap+0x7cd
0a 0536cf20 74a2db1b 0c440000 00000000 147e6638 vrfcore!VfCoreRtlFreeHeap+0x20
0b 0536cf34 74a2dae8 147e6638 00000000 0536cf54 ucrtbase!_free_base+0x1b
0c 0536cf44 0f012849 147e6638 16fd32f8 0536d068 ucrtbase!free+0x18
WARNING: Stack unwind information not available. Following frames may be wrong.
0d 0536cf54 0f6d6441 147e6638 31577737 0536d0b8 AcroRd32!AcroWinMainSandbox+0x6a49
0e 0536d068 0f6c20a4 0536d0d8 00000001 00000b20 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18bb1
0f 0536d230 0f6bf15d 00000000 00000000 00000000 AcroRd32!CTJPEGTiledContentWriter::operator=+0x4814
10 0536d264 0f6b209f 1771f6b4 1771f6b4 194f9078 AcroRd32!CTJPEGTiledContentWriter::operator=+0x18cd
11 0536d278 0f6a5007 194f9078 000033f8 2037a088 AcroRd32!AX_PDXlateToHostEx+0x34404f
12 0536d32c 0f0a57c9 1771f6b4 19053d28 0f0a5730 AcroRd32!AX_PDXlateToHostEx+0x336fb7
13 0536d350 0f0a56c3 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x4c809
14 0536d370 0f02e7e1 0536d390 1cb80970 0013d690 AcroRd32!DllCanUnloadNow+0x4c703
15 0536d398 0f02e78d 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x229e1
16 0536d3ac 0f0e8a5b 1cb80970 00000001 0013d690 AcroRd32!AcroWinMainSandbox+0x2298d
17 0536d3c8 0f1f4315 1cb80970 00000001 0013d690 AcroRd32!DllCanUnloadNow+0x8fa9b
18 0536d42c 0f6568a8 00000000 00000e44 205378ac AcroRd32!CTJPEGDecoderHasMoreTiles+0x1a15
19 0536d4ac 0f56ae8d 0536d4cc 0536d4dc 315773af AcroRd32!AX_PDXlateToHostEx+0x2e8858
1a 0536d4f0 10d5da8c 17b908d0 0536d55c bb3e57b9 AcroRd32!AX_PDXlateToHostEx+0x1fce3d
1b 0536d56c 10d5e053 0536d5b8 bb3e5771 00000000 AGM!AGMGetVersion+0x16e3c
1c 0536d5a4 10fffb4c 193d706c 0536d5b8 fffffff9 AGM!AGMGetVersion+0x17403
1d 0536d5bc 10cd9a32 0536d650 bb3e5855 17c76ff8 AGM!AGMGetVersion+0x2b8efc
1e 0536da80 10cd75d6 0536df90 17c76ff8 0536df04 AGM!AGMInitialize+0x40c02
1f 0536df24 10cd4133 0536df90 17c76ff8 0536e124 AGM!AGMInitialize+0x3e7a6
20 0536e144 10cd2370 19891678 18f911e8 17c616f8 AGM!AGMInitialize+0x3b303
21 0536e320 10cd0dec 19891678 18f911e8 bb3e61b9 AGM!AGMInitialize+0x39540
22 0536e36c 10cfffbf 19891678 18f911e8 17150de0 AGM!AGMInitialize+0x37fbc
23 0536e398 10cffb7f 18f911e8 bb3e66d1 17150de0 AGM!AGMInitialize+0x6718f
24 00000000 00000000 00000000 00000000 00000000 AGM!AGMInitialize+0x66d4f

0:000> !heap -p -a 147E6638 
    address 147e6638 found in
    _HEAP @ c640000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        147e6610 0009 0000  [00]   147e6638    00010 - (free DelayedFree)
        66d6c396 verifier!AVrfpDphNormalHeapFree+0x000000b6
        66d6ab43 verifier!AVrfDebugPageHeapFree+0x000000e3
        77305359 ntdll!RtlDebugFreeHeap+0x0000003c
        7725ad86 ntdll!RtlpFreeHeap+0x000000d6
        7725ac3d ntdll!RtlFreeHeap+0x000007cd
        66e5aad0 vrfcore!VfCoreRtlFreeHeap+0x00000020
        74a2db1b ucrtbase!_free_base+0x0000001b
        74a2dae8 ucrtbase!free+0x00000018
        f012849 AcroRd32!AcroWinMainSandbox+0x00006a49
        f6d6430 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00018ba0
        f6c20a4 AcroRd32!CTJPEGTiledContentWriter::operator=+0x00004814
        f6bf15d AcroRd32!CTJPEGTiledContentWriter::operator=+0x000018cd
        f6b209f AcroRd32!AX_PDXlateToHostEx+0x0034404f
        f6a5007 AcroRd32!AX_PDXlateToHostEx+0x00336fb7
        f0a57c9 AcroRd32!DllCanUnloadNow+0x0004c809
        f0a56c3 AcroRd32!DllCanUnloadNow+0x0004c703
        f02e7e1 AcroRd32!AcroWinMainSandbox+0x000229e1
        f02e78d AcroRd32!AcroWinMainSandbox+0x0002298d
        f0e8a5b AcroRd32!DllCanUnloadNow+0x0008fa9b
        f1f4315 AcroRd32!CTJPEGDecoderHasMoreTiles+0x00001a15
        f6568a8 AcroRd32!AX_PDXlateToHostEx+0x002e8858
        f56ae8d AcroRd32!AX_PDXlateToHostEx+0x001fce3d
        10d5da8c AGM!AGMGetVersion+0x00016e3c
        10d5e053 AGM!AGMGetVersion+0x00017403
        10fffb4c AGM!AGMGetVersion+0x002b8efc
        10cd9a32 AGM!AGMInitialize+0x00040c02
        10cd75d6 AGM!AGMInitialize+0x0003e7a6
        10cd4133 AGM!AGMInitialize+0x0003b303
        10cd2370 AGM!AGMInitialize+0x00039540
        10cd0dec AGM!AGMInitialize+0x00037fbc
        10cfffbf AGM!AGMInitialize+0x0006718f
--- cut ---


- Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with the PageHeap option enabled in Application Verifier.

- The crash occurs immediately after opening the PDF document.

- Attached samples: poc.pdf (crashing file), original.pdf (original file).

- We have minimized the difference between the original and mutated files down to a single byte at offset 0x172b4, which appears to reside inside a binary JP2 image stream. It was modified from 0x1C to 0xFF.

Proof of Concept:
Link to post
Link to comment
Share on other sites


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...