Adobe Reader Integer Overflow due to Negative Array Index
We discussed this vulnerability during Episode 112 on 18 January 2022
An integer overflow in Adobe Reader’s parsing of gesture coordinates.
The document.addAnnot
function takes in an object containing various configuration options, including a gestures
key which is an array of x
and y
coordinates for the gesture. In processing this array it appears to have a check along the of
if(last_array_index + 1 < 0x55555)
The problem is that a last array index of -1
, because 0xFFFFFFFF
, when you add 1 to this, you get 0, which means it passes this apparent size check, despite being over the maximum. The original -1
index is then actually used in calculating an offset leading to an improper this
pointer being used.