CVE-2024-30312
An out-of-bounds read vulnerability exists in the Font functionality of Adobe Acrobat Reader 2023.008.20533.A specially crafted font file embedded into a PDF can trigger this vulnerability, which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. The vulnerability in this advisory is the same as TALOS-2023-1905, as it wasn’t properly patched to cover all cases.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Adobe Acrobat Reader 2023.008.20533
Acrobat Reader - https://acrobat.adobe.com/us/en/acrobat/pdf-reader.html
6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-125 - Out-of-bounds Read
Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into web browsers as a plugin for rendering PDFs.
Adobe acrobat supports parsing of embedded font files in the PDF. This vulnerability is related to OpenType font format. An OpenType font file starts with a table directory (TableDirectory ) followed by one or more table record (TableRecord) entries. The structure of TableDirectory is as follows:
Offset Size Name
------ ----- --------------------------------------
0x00 0x04 sfntVersion (0x00010000 or 0x4F54544F )
0x04 0x02 numTables
0x06 0x02 searchRange
0x08 0x02 entrySelector
0x0c 0x02 rangeShift
If the value of the sfntVersion field is 0x00010000, the font contains TrueType data. The CFF data will be present if the value of sfntVersion is 0x4F54544F (‘OTTO). The numTables field specifies the number of TableRecord entries present in the font file. The structure of a TableRecord entry is as follows:
Offset Size Name
------ ----- ----------------------------------
0x00 0x04 tableTag
0x04 0x04 tableChecksum
0x08 0x04 tableOffset
0x0C 0x04 tablelength
tableTag is the name of TableRecord. The tableOffset field specifies the offset of the table from the beginning of the file. The tablelength indicates the length of the table. The structure of each TableRecord depends on the type table, which is defined by the tableTag. This vulnerability occurs when the the value of the tableTag field is the string CPAL, which indicates the table type is Color Palette Table (CPAL).
CPAL is an optional table that defines a palette of colors for use with color fonts. CPAL table starts with a header. The structure of the CPAL table header is as follows:
Offset Size Name
------ -------- --------------------------------------
0x00 0x02 cpalVersion
0x02 0x02 numPaletteEntries
0x04 0x02 numPalettes (np)
0x06 0x02 numColorRecords
0x08 0x04 colorRecordsArrayOffset
0x0C 0x02 * np colorRecordIndices[numPalettes]
cpalVersion indicates the version of the header. The numPaletteEntries field defines the number of palette entries in each palette. The numPalettes field indicates the number of palettes in the table. The numColorRecords specifies the number of color records. colorRecordIndices is an array, which contains colorRecordIndex, and the length of the array is numPalettes. The data type of colorRecordIndex is uint16.
The vulnerability described in TALOS-2023-1905 stems from when the value of max(colorRecordIndices) + numPaletteEntries is greater than numColorRecords. Here, max(colorRecordIndices) is the largest element in the array. This vulnerable condition is still triggerable in the updated version. It can be observed in the following code:
0:010> g
Breakpoint 0 hit
Time Travel Position: 4807F0:D6
eax=000000cb ebx=9fef8fb0 ecx=6d794f40 edx=00000000 esi=6d794f40 edi=a1e2afe8
eip=6d84d739 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTCleanup+0x4fb59:
6d84d739 6a02 push 2
0:010> pc
Time Travel Position: 4807F0:D9
eax=000000cb ebx=9fef8fb0 ecx=6d794f40 edx=00000000 esi=6d794f40 edi=a1e2afe8
eip=6d84d73f esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTCleanup+0x4fb5f:
6d84d73f ff1530f69b6d call dword ptr [CoolType!CTGetVersion+0x1546b0 (6d9bf630)] ds:002b:6d9bf630=778688e0
0:010> p
Time Travel Position: 4807F0:E5
eax=0daf29e8 ebx=9fef8fb0 ecx=6d794f40 edx=00100100 esi=6d794f40 edi=a1e2afe8
eip=6d84d745 esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4fb65:
6d84d745 ffd6 call esi {CoolType!CTInit+0x218e0 (6d794f40)} ;<------------------------- (1)
0:010> p
Time Travel Position: 4807F0:FC
eax=0000004c ebx=9fef8fb0 ecx=0000004c edx=00000002 esi=6d794f40 edi=a1e2afe8
eip=6d84d747 esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fb67:
6d84d747 8b730c mov esi,dword ptr [ebx+0Ch] ds:002b:9fef8fbc=6d794f40
0:010> pc
Time Travel Position: 4807F0:104
eax=0000004c ebx=9fef8fb0 ecx=6d794f40 edx=00000002 esi=6d794f40 edi=a1e2afe8
eip=6d84d75b esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTCleanup+0x4fb7b:
6d84d75b ff1530f69b6d call dword ptr [CoolType!CTGetVersion+0x1546b0 (6d9bf630)] ds:002b:6d9bf630=778688e0
0:010> pc
Time Travel Position: 4807F0:110
eax=0daf29e8 ebx=9fef8fb0 ecx=6d794f40 edx=00100100 esi=6d794f40 edi=a1e2afe8
eip=6d84d761 esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4fb81:
6d84d761 ffd6 call esi {CoolType!CTInit+0x218e0 (6d794f40)} ;<------------------------- (2)
0:010> p
Time Travel Position: 4807F0:127
eax=000000cc ebx=9fef8fb0 ecx=000000cc edx=00000004 esi=6d794f40 edi=a1e2afe8
eip=6d84d763 esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4fb83:
6d84d763 0fb7c0 movzx eax,ax
0:010> pc
Time Travel Position: 4807F0:134
eax=00000198 ebx=9fef8fb0 ecx=6d794f40 edx=00000004 esi=6d794f40 edi=a1e2afe8
eip=6d84d788 esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
CoolType!CTCleanup+0x4fba8:
6d84d788 ff1530f69b6d call dword ptr [CoolType!CTGetVersion+0x1546b0 (6d9bf630)] ds:002b:6d9bf630=778688e0
0:010> pc
Time Travel Position: 4807F0:140
eax=0daf29e8 ebx=9fef8fb0 ecx=6d794f40 edx=00100100 esi=6d794f40 edi=a1e2afe8
eip=6d84d78e esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4fbae:
6d84d78e ffd6 call esi {CoolType!CTInit+0x218e0 (6d794f40)} ;<------------------------- (3)
0:010> p
Time Travel Position: 4807F0:157
eax=0000002b ebx=9fef8fb0 ecx=0000002b edx=00000006 esi=6d794f40 edi=a1e2afe8
eip=6d84d790 esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4fbb0:
6d84d790 8b7318 mov esi,dword ptr [ebx+18h] ds:002b:9fef8fc8=6d7950c0
[...]
0:010> p
Time Travel Position: 4807F0:18E
eax=00000000 ebx=9fef8fb0 ecx=00000000 edx=9d962d00 esi=6d7950c0 edi=a1e2afe8
eip=6d84d7bb esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x4fbdb:
6d84d7bb 8b45e8 mov eax,dword ptr [ebp-18h] ss:002b:acc0ec28=0000004c
0:010> p
Time Travel Position: 4807F0:18F
eax=0000004c ebx=9fef8fb0 ecx=00000000 edx=9d962d00 esi=6d7950c0 edi=a1e2afe8
eip=6d84d7be esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x4fbde:
6d84d7be 8b4df4 mov ecx,dword ptr [ebp-0Ch] ss:002b:acc0ec34=000000cc
0:010> p
Time Travel Position: 4807F0:190
eax=0000004c ebx=9fef8fb0 ecx=000000cc edx=9d962d00 esi=6d7950c0 edi=a1e2afe8
eip=6d84d7c1 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x4fbe1:
6d84d7c1 8b55e4 mov edx,dword ptr [ebp-1Ch] ss:002b:acc0ec24=0000002b
0:010> p
Time Travel Position: 4807F0:191
eax=0000004c ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=6d7950c0 edi=a1e2afe8
eip=6d84d7c4 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x4fbe4:
6d84d7c4 0fb7f0 movzx esi,ax
0:010> p
Time Travel Position: 4807F0:192
eax=0000004c ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7c7 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x4fbe7:
6d84d7c7 8bc6 mov eax,esi
0:010> p
Time Travel Position: 4807F0:193
eax=0000004c ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7c9 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x4fbe9:
6d84d7c9 0fb7d2 movzx edx,dx
0:010> p
Time Travel Position: 4807F0:194
eax=0000004c ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7cc esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
CoolType!CTCleanup+0x4fbec:
6d84d7cc 0fafc1 imul eax,ecx ;<------------------------- (4)
0:010> p
Time Travel Position: 4807F0:195
eax=00003c90 ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7cf esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4fbef:
6d84d7cf 8975ec mov dword ptr [ebp-14h],esi ss:002b:acc0ec2c=6da919d4
0:010> p
Time Travel Position: 4807F0:196
eax=00003c90 ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7d2 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4fbf2:
6d84d7d2 8955f0 mov dword ptr [ebp-10h],edx ss:002b:acc0ec30=00000050
0:010> p
Time Travel Position: 4807F0:197
eax=00003c90 ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7d5 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4fbf5:
6d84d7d5 8945d0 mov dword ptr [ebp-30h],eax ss:002b:acc0ec10=6d992225
0:010> p
Time Travel Position: 4807F0:198
eax=00003c90 ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7d8 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4fbf8:
6d84d7d8 3bd0 cmp edx,eax ;<------------------------- (5)
0:010> p
Time Travel Position: 4807F0:199
eax=00003c90 ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7da esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTCleanup+0x4fbfa:
6d84d7da 0f87af010000 ja CoolType!CTCleanup+0x4fdaf (6d84d98f) [br=0]
0:010> p
Time Travel Position: 4807F0:19A
eax=00003c90 ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7e0 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000283
CoolType!CTCleanup+0x4fc00:
6d84d7e0 66837de800 cmp word ptr [ebp-18h],0 ss:002b:acc0ec28=004c
0:010> p
Time Travel Position: 4807F0:19B
eax=00003c90 ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7e5 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fc05:
6d84d7e5 760f jbe CoolType!CTCleanup+0x4fc16 (6d84d7f6) [br=0]
0:010> p
Time Travel Position: 4807F0:19C
eax=00003c90 ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7e7 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fc07:
6d84d7e7 33d2 xor edx,edx
0:010> p
Time Travel Position: 4807F0:19D
eax=00003c90 ebx=9fef8fb0 ecx=000000cc edx=00000000 esi=0000004c edi=a1e2afe8
eip=6d84d7e9 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4fc09:
6d84d7e9 f7f6 div eax,esi ;<------------------------- (6)
0:010> p
Time Travel Position: 4807F0:19E
eax=000000cc ebx=9fef8fb0 ecx=000000cc edx=00000000 esi=0000004c edi=a1e2afe8
eip=6d84d7eb esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4fc0b:
6d84d7eb 3bc1 cmp eax,ecx
0:010> p
Time Travel Position: 4807F0:19F
eax=000000cc ebx=9fef8fb0 ecx=000000cc edx=00000000 esi=0000004c edi=a1e2afe8
eip=6d84d7ed esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4fc0d:
6d84d7ed 0f859c010000 jne CoolType!CTCleanup+0x4fdaf (6d84d98f) [br=0] ;<------------------------- (7)
0:010> p
Time Travel Position: 4807F0:1A0
eax=000000cc ebx=9fef8fb0 ecx=000000cc edx=00000000 esi=0000004c edi=a1e2afe8
eip=6d84d7f3 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4fc13:
6d84d7f3 8b55f0 mov edx,dword ptr [ebp-10h] ss:002b:acc0ec30=0000002b
0:010> p
Time Travel Position: 4807F0:1A1
eax=000000cc ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7f6 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4fc16:
6d84d7f6 66837de400 cmp word ptr [ebp-1Ch],0 ss:002b:acc0ec24=002b
0:010> p
Time Travel Position: 4807F0:1A2
eax=000000cc ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d7fb esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4fc1b:
6d84d7fb 0f868e010000 jbe CoolType!CTCleanup+0x4fdaf (6d84d98f) [br=0]
0:010> p
Time Travel Position: 4807F0:1A3
eax=000000cc ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d801 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4fc21:
6d84d801 8b4508 mov eax,dword ptr [ebp+8] ss:002b:acc0ec48=6da919d4
0:010> p
Time Travel Position: 4807F0:1A4
eax=6da919d4 ebx=9fef8fb0 ecx=000000cc edx=0000002b esi=0000004c edi=a1e2afe8
eip=6d84d804 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4fc24:
6d84d804 c1e202 shl edx,2 ;<------------------------- (8)
0:010> p
Time Travel Position: 4807F0:1A5
eax=6da919d4 ebx=9fef8fb0 ecx=000000cc edx=000000ac esi=0000004c edi=a1e2afe8
eip=6d84d807 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4fc27:
6d84d807 52 push edx
0:010> pc
Time Travel Position: 4807F0:1A9
eax=6da919d4 ebx=9fef8fb0 ecx=6d791500 edx=000000ac esi=6d791500 edi=a1e2afe8
eip=6d84d80d esp=acc0ebf4 ebp=acc0ec40 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4fc2d:
6d84d80d ff1530f69b6d call dword ptr [CoolType!CTGetVersion+0x1546b0 (6d9bf630)] ds:002b:6d9bf630=778688e0
0:010> p
Time Travel Position: 4807F0:1B5
eax=0daf22a0 ebx=9fef8fb0 ecx=6d791500 edx=00040001 esi=6d791500 edi=a1e2afe8
eip=6d84d813 esp=acc0ebf4 ebp=acc0ec40 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4fc33:
6d84d813 ffd6 call esi {CoolType!CTInit+0x1dea0 (6d791500)} ;<------------------------- (9)
0:010> p
Time Travel Position: 48080F:79
eax=8d5d0f50 ebx=9fef8fb0 ecx=000000ac edx=00000000 esi=6d791500 edi=a1e2afe8
eip=6d84d815 esp=acc0ebf4 ebp=acc0ec40 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTCleanup+0x4fc35:
6d84d815 837df000 cmp dword ptr [ebp-10h],0 ss:002b:acc0ec30=0000002b
0:010> dd eax ;<------------------------- (10)
8d5d0f50 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0f60 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0f70 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0f80 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0f90 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0fa0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0fb0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0fc0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
A method is called at (1), (2), and (3) to read the numPaletteEntries, numPalettes, and numColorRecords fields of the CPAL table, respectively. Later, the above method validates the values of the numPaletteEntries, numPalettes, and numColorRecords fields at (4), (5), (6) and (7). However, this validation is not sufficient. At (8), size of the vulnerable buffer, namely colorRecordBuf, is calculated by multiplying 4 and numColorRecords (4 * numColorRecords). The malloc function is called at (9), and the size argument of the function comes from the edx register. At (10), we examine colorRecordBuf after the call to malloc.
0:010> p
Time Travel Position: 48080F:98
eax=0db30d2a ebx=9fef8fb0 ecx=6d986950 edx=04004544 esi=6d986950 edi=0000002b
eip=6d84d84e esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4fc6e:
6d84d84e ffd6 call esi {CoolType!CTGetVersion+0x11b9d0 (6d986950)}
0:010> p
Time Travel Position: 48080F:B6
eax=00000000 ebx=9fef8fb0 ecx=00000000 edx=04004544 esi=6d986950 edi=0000002b
eip=6d84d850 esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei ng nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000296
CoolType!CTCleanup+0x4fc70:
6d84d850 8b4dfc mov ecx,dword ptr [ebp-4] ss:002b:acc0ec3c=8d5d0f51
0:010> p
Time Travel Position: 48080F:B7
eax=00000000 ebx=9fef8fb0 ecx=8d5d0f51 edx=04004544 esi=6d986950 edi=0000002b
eip=6d84d853 esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei ng nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000296
CoolType!CTCleanup+0x4fc73:
6d84d853 83c40c add esp,0Ch
0:010> p
Time Travel Position: 48080F:B8
eax=00000000 ebx=9fef8fb0 ecx=8d5d0f51 edx=04004544 esi=6d986950 edi=0000002b
eip=6d84d856 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTCleanup+0x4fc76:
6d84d856 8841ff mov byte ptr [ecx-1],al ds:002b:8d5d0f50=c0
0:010> p
Time Travel Position: 48080F:B9
eax=00000000 ebx=9fef8fb0 ecx=8d5d0f51 edx=04004544 esi=6d986950 edi=0000002b
eip=6d84d859 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTCleanup+0x4fc79:
6d84d859 8b45d4 mov eax,dword ptr [ebp-2Ch] ss:002b:acc0ec14=72a2f0b0
0:010> p
Time Travel Position: 48080F:BA
eax=72a2f0b0 ebx=9fef8fb0 ecx=8d5d0f51 edx=04004544 esi=6d986950 edi=0000002b
eip=6d84d85c esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTCleanup+0x4fc7c:
6d84d85c 8b7308 mov esi,dword ptr [ebx+8] ds:002b:9fef8fb8=6d986950
0:010> p
Time Travel Position: 48080F:BB
eax=72a2f0b0 ebx=9fef8fb0 ecx=8d5d0f51 edx=04004544 esi=6d986950 edi=0000002b
eip=6d84d85f esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTCleanup+0x4fc7f:
6d84d85f 03c1 add eax,ecx
0:010> p
Time Travel Position: 48080F:BC
eax=00000001 ebx=9fef8fb0 ecx=8d5d0f51 edx=04004544 esi=6d986950 edi=0000002b
eip=6d84d861 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000203
CoolType!CTCleanup+0x4fc81:
6d84d861 50 push eax
0:010> dd 8d5d0f50
8d5d0f50 c0c0c000 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0f60 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0f70 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0f80 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0f90 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0fa0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0fb0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
8d5d0fc0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0
0:010> g
Breakpoint 1 hit
Time Travel Position: 48080F:2423
eax=ffffffff ebx=9fef8fb0 ecx=8d5d0ffd edx=04004544 esi=000000af edi=a1e2afe8
eip=6d84d8cf esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4fcef:
6d84d8cf 8b45d0 mov eax,dword ptr [ebp-30h] ss:002b:acc0ec10=00003c90
0:010> dd 8d5d0f50 ; <------------------------ (11)
8d5d0f50 4c00cb00 2b00cc00 00000000 03005d00
8d5d0f60 0000ba00 00001200 5d000000 ff000000
8d5d0f70 ff110404 ff321313 ff376f90 ff3fa9f5
8d5d0f80 ff4d1616 ff565656 ff56586f ff5e120f
8d5d0f90 ff5e93b3 ff64a694 ff66471b ff737891
8d5d0fa0 ff74aebe ff77c6b0 ff7cc48f ff7f184c
8d5d0fb0 ff82a63b ff8ad0e3 ff8eb23f ff91ab48
8d5d0fc0 ff934a19 ff946796 ffa6bf4c ffa7cf5b
In the above code, a loop starts that writes the 4 * numColorRecords bytes to the colorRecordBuf buffer. At (11), we can examine the colorRecordBuf buffer after the data has been written to it.
0:010> p
Time Travel Position: 48083F:84
eax=000000cc ebx=9fef8fb0 ecx=0000000c edx=0000004c esi=6d791500 edi=a1e2afe8
eip=6d84d8ff esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
CoolType!CTCleanup+0x4fd1f:
6d84d8ff 33ff xor edi,edi
0:010> p
Time Travel Position: 48083F:85
eax=000000cc ebx=9fef8fb0 ecx=0000000c edx=0000004c esi=6d791500 edi=00000000
eip=6d84d901 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
CoolType!CTCleanup+0x4fd21:
6d84d901 85d2 test edx,edx
0:010> p
Time Travel Position: 48083F:86
eax=000000cc ebx=9fef8fb0 ecx=0000000c edx=0000004c esi=6d791500 edi=00000000
eip=6d84d903 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fd23:
6d84d903 7439 je CoolType!CTCleanup+0x4fd5e (6d84d93e) [br=0]
0:010> p
Time Travel Position: 48083F:87
eax=000000cc ebx=9fef8fb0 ecx=0000000c edx=0000004c esi=6d791500 edi=00000000
eip=6d84d905 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fd25:
6d84d905 8b730c mov esi,dword ptr [ebx+0Ch] ds:002b:9fef8fbc=6d794f40
0:010> p
Time Travel Position: 48083F:88
eax=000000cc ebx=9fef8fb0 ecx=0000000c edx=0000004c esi=6d794f40 edi=00000000
eip=6d84d908 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fd28:
6d84d908 51 push ecx
0:010> p
Time Travel Position: 48083F:89
eax=000000cc ebx=9fef8fb0 ecx=0000000c edx=0000004c esi=6d794f40 edi=00000000
eip=6d84d909 esp=acc0ebf8 ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fd29:
6d84d909 ff750c push dword ptr [ebp+0Ch] ss:002b:acc0ec4c=acc0ec90
0:010> p
Time Travel Position: 48083F:8A
eax=000000cc ebx=9fef8fb0 ecx=0000000c edx=0000004c esi=6d794f40 edi=00000000
eip=6d84d90c esp=acc0ebf4 ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fd2c:
6d84d90c 8bce mov ecx,esi
0:010> p
Time Travel Position: 48083F:8B
eax=000000cc ebx=9fef8fb0 ecx=6d794f40 edx=0000004c esi=6d794f40 edi=00000000
eip=6d84d90e esp=acc0ebf4 ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fd2e:
6d84d90e 53 push ebx
0:010> p
Time Travel Position: 48083F:8C
eax=000000cc ebx=9fef8fb0 ecx=6d794f40 edx=0000004c esi=6d794f40 edi=00000000
eip=6d84d90f esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fd2f:
6d84d90f ff1530f69b6d call dword ptr [CoolType!CTGetVersion+0x1546b0 (6d9bf630)] ds:002b:6d9bf630=778688e0
0:010> p
Time Travel Position: 48083F:98
eax=0daf29e8 ebx=9fef8fb0 ecx=6d794f40 edx=00100100 esi=6d794f40 edi=00000000
eip=6d84d915 esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl zr na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000247
CoolType!CTCleanup+0x4fd35:
6d84d915 ffd6 call esi {CoolType!CTInit+0x218e0 (6d794f40)} ; <------------------------ (12)
0:010> p
Breakpoint 2 hit
Time Travel Position: 48083F:AF
eax=0000005d ebx=9fef8fb0 ecx=0000005d edx=0000000c esi=6d794f40 edi=00000000
eip=6d84d917 esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fd37:
6d84d917 8b4dd8 mov ecx,dword ptr [ebp-28h] ss:002b:acc0ec18=8d5d0f50
0:010> p
Time Travel Position: 48083F:B0
eax=0000005d ebx=9fef8fb0 ecx=8d5d0f50 edx=0000000c esi=6d794f40 edi=00000000
eip=6d84d91a esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fd3a:
6d84d91a 03c7 add eax,edi ; <------------------------ (13)
0:010> p
Time Travel Position: 48083F:B1
eax=0000005d ebx=9fef8fb0 ecx=8d5d0f50 edx=0000000c esi=6d794f40 edi=00000000
eip=6d84d91c esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fd3c:
6d84d91c 8b75f8 mov esi,dword ptr [ebp-8] ss:002b:acc0ec38=00000000
0:010> p
Time Travel Position: 48083F:B2
eax=0000005d ebx=9fef8fb0 ecx=8d5d0f50 edx=0000000c esi=00000000 edi=00000000
eip=6d84d91f esp=acc0ebf0 ebp=acc0ec40 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
CoolType!CTCleanup+0x4fd3f:
6d84d91f 83c40c add esp,0Ch
0:010> p
Time Travel Position: 48083F:B3
eax=0000005d ebx=9fef8fb0 ecx=8d5d0f50 edx=0000000c esi=00000000 edi=00000000
eip=6d84d922 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTCleanup+0x4fd42:
6d84d922 8b0481 mov eax,dword ptr [ecx+eax*4] ds:002b:8d5d10c4=????????
0:010> p
(1548.1f84): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 480841:0
eax=0000005d ebx=9fef8fb0 ecx=8d5d0f50 edx=0000000c esi=00000000 edi=00000000
eip=6d84d922 esp=acc0ebfc ebp=acc0ec40 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
CoolType!CTCleanup+0x4fd42:
6d84d922 8b0481 mov eax,dword ptr [ecx+eax*4] ds:002b:8d5d10c4=???????? ; <------------------------ (14)
0:010> u
CoolType!CTCleanup+0x4fd42:
6d84d922 8b0481 mov eax,dword ptr [ecx+eax*4]
6d84d925 8b4dd0 mov ecx,dword ptr [ebp-30h]
6d84d928 8904b1 mov dword ptr [ecx+esi*4],eax
6d84d92b 46 inc esi
6d84d92c 8b4df0 mov ecx,dword ptr [ebp-10h]
6d84d92f 47 inc edi
6d84d930 8975f8 mov dword ptr [ebp-8],esi
6d84d933 3b7dec cmp edi,dword ptr [ebp-14h]
0:010> kb
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 acc0ec40 6d8465de 6da919d4 acc0ec90 9fef8fb0 CoolType!CTCleanup+0x4fd42
01 acc0eca4 6d8463b5 00000000 16328fd0 a6012bd8 CoolType!CTCleanup+0x489fe
02 acc0ecf8 6d844581 00000000 00000000 a93d3fd0 CoolType!CTCleanup+0x487d5
03 acc0ed0c 6d864a67 00000000 acc0ed5c 6d96cbd4 CoolType!CTCleanup+0x469a1
04 acc0ed18 6d96cbd4 00000000 16328e74 a79beda8 CoolType!CTCleanup+0x66e87
05 acc0ed5c 6dc429a7 a6012bd8 00000000 acc0ed9c CoolType!CTGetVersion+0x101c54
06 acc0edbc 6db10f67 a59fe8d8 acc0efe0 a433481e AGM!AGMGetVersion+0xc1337
07 acc0f398 6db0ef44 7c7d9570 81b3af70 a59fe8d8 AGM!AGMInitialize+0x37967
08 acc0f55c 6db0ccf2 7c7d9570 81b3af70 a4334e1a AGM!AGMInitialize+0x35944
09 acc0f59c 6db2b41b 7c7d9570 81b3af70 7c7d3eac AGM!AGMInitialize+0x336f2
0a acc0f5c0 6db0bbe0 00000301 6db2afd5 81b3af70 AGM!AGMInitialize+0x51e1b
0b acc0f5c8 6db2afd5 81b3af70 9657cd00 9657cd18 AGM!AGMInitialize+0x325e0
0c acc0f5e8 6db3b29f 81b3af70 a4334dd2 9657cd18 AGM!AGMInitialize+0x519d5
0d acc0f618 6db29dd1 a4334dca acc0f6ec 6db29d30 AGM!AGMInitialize+0x61c9f
0e acc0f654 6db2aa54 81b3af70 a4334d0a 9996af58 AGM!AGMInitialize+0x507d1
0f acc0f66c 6e438301 44eb01f9 9657cd18 acc0f660 AGM!AGMInitialize+0x51454
10 acc0f68c 6e44800a a7b1ed90 9dd6ecc0 acc0f6a4 AcroRd32!DllCanUnloadNow+0x1f2d41
11 acc0f6a8 6e446f5f 9996af84 44eb0061 a21f6f90 AcroRd32!DllCanUnloadNow+0x202a4a
12 acc0f708 6e4766ec 44eb0001 9fedcfb8 a0c12ff8 AcroRd32!DllCanUnloadNow+0x20199f
13 acc0f768 6e476563 44eb00f9 6e4764f0 a5f06ff8 AcroRd32!DllCanUnloadNow+0x23112c
14 acc0f790 6e476501 0f5eec50 6e4764f0 acc0f7b0 AcroRd32!DllCanUnloadNow+0x230fa3
15 acc0f7a0 75e7fcc9 a5f06ff8 75e7fcb0 acc0f80c AcroRd32!DllCanUnloadNow+0x230f41
16 acc0f7b0 77847c5e a5f06ff8 d1d42850 00000000 KERNEL32!BaseThreadInitThunk+0x19
17 acc0f80c 77847c2e ffffffff 77868bfe 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0x11e
18 acc0f81c 00000000 6e4764f0 a5f06ff8 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xee
In the above code, a loop runs that reads the colorRecordIndices array. The call at (12) reads the element of the array. The index value is calculated at (13) by adding eax and edi. Here, eax is an element of the array, and edi is a counter which is not greater than numPaletteEntries. The calculated index value is used at (14) without any validation to read colorRecordBuf. Here, the vulnerable condition is satisfied so the calculated index value is greater than the numColorRecords, which leads to the out-of-bounds read condition.
Using this vulnerability, it is possible to read arbitrary memory of the process. Because of complex interactions between PDF reader and font subcomponents, especially in the presence of a JavaScript engine, it is possible that sensitive contents of arbitrary memory could be disclosed, which could aid in further exploitation and exploit mitigation bypass.
Adobe released updated software which can be found linked from the advisory: https://helpx.adobe.com/security/products/acrobat/apsb24-29.html
2024-03-04 - Vendor Disclosure
2024-05-14 - Vendor Patch Release
2024-05-15 - Public Release
Discovered by KPC of Cisco Talos.