1. Vulnerability Description
2. Vulnerability analysis
2.1 Vulnerability type
2.2 Vulnerability root cause
Since the value of m_nOrigOutputs is outside the scope of the array request space, an out-of-bounds write will occur at line #55 of Figure 2.
With the help of the ASAN crash dump, we can locate the following source code: The size of the array is determined by the return value of the following function.
3. Vulnerability exploit
Since the variables (m_nOrigOutputs, m_Exponent) can be precisely controlled in the pdf file by controlling the corresponding fields, we can simplify the assignment action . Control m_Exponent = 0, then FXSYS_pow(input [i],m_Exponent) will always be 1.
5. Vulnerability Patch
Using FX_SAFE_UINT32 replace previous uint32_t, the representation in memory : the upper four bytes are the value of unsigned int, and the lower four bytes hold the data overflow identifier.
Since the operator is overloaded, the overflow is automatically checked when doing a numerical calculation of this type, ensuring that overflow and underflow do not occur. The specific check method is to use the compiler’s built-in overflow detection function __builtin_add_overflow. After the overflow occurs, the function where the result_array is located returns directly. (See Figure 10)
6. Attack again
7. Fixed by non-security update
8. Vulnerability Reporting Timeline
2018-04-17 submit bug issue