An integer overflow in Adobe Reader’s parsing of gesture coordinates.

The document.addAnnot function takes in an object containing various configuration options, including a gestures key which is an array of x and y coordinates for the gesture. In processing this array it appears to have a check along the of

if(last_array_index + 1 < 0x55555)

The problem is that a last array index of -1, because 0xFFFFFFFF, when you add 1 to this, you get 0, which means it passes this apparent size check, despite being over the maximum. The original -1 index is then actually used in calculating an offset leading to an improper this pointer being used.