CVE-2016-3579
When parsing a specially crafted PDF document, a value derived from a file is used as a memory pointer leading to a process crash.
http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html
When parsing a PDF file with an object containing a stream, missing object type specification can lead to arbitrary pointer access. In the supplied testcase, a /Type value is missing (originaly /XRef) and trailing bytes are interpreted as type. An ASCII integer value is converted into 32bit integer which is subsequently used as a pointer in a comparison operation. In case the pointer is invalid, process crash occurs.
Technical information below:
An ASCII integer value appearing after /Type element in the supplied PDF file is converted into
32 bit integer (in this case 0x41414141) which ends up being used as a source operand, in esi,
in the comparison instruction against ‘XRef’ value pointed at by edi :
`
.text:B74E9B72 mov esi, [eax]
.text:B74E9B74 mov ecx, 5
.text:B74E9B79 cld
.text:B74E9B7A lea edi, (aXref - 0B74F6998h)[ebx] ; "XRef"
.text:B74E9B80 repe cmpsb
`
Although the value in esi is fully controlled, it is promptly discarded after the comparison
making this issue unexploitable by itself.
2016-04-12 - Vendor Notification
2016-07-19 – Public Disclosure
Discovered by Aleksandar Nikolic of Cisco Talos.