Adobe Reader DC 3D PDF Parsing Flaws Trigger Out-of-Bounds Reads
Adobe patched two out-of-bounds read vulnerabilities in Adobe Reader DC affecting version 2019.010.20099, both tied to the 2d.x3d!_LoadTIFF() processing path used to render embedded U3D 3D content inside PDF files. Tracked as CVE-2019-8010 and CVE-2019-8011, the flaws can be triggered by a crafted PDF containing malformed external texture references in embedded 3D objects, causing the sandboxed Reader process to crash under the logged-on user context.
The bugs affect Acrobat’s handling of ECMA-363 Universal 3D File Format resources, including external image and texture parsing such as PNG- and TIFF-related paths. The issue is not reachable in a default installation unless 3D content display is enabled, but it poses greater risk in environments that routinely exchange 3D PDFs, including CAD-heavy workflows where 3D viewing may be enabled by default. Adobe addressed both issues in advisory APSB19-41 after coordinated disclosure by STAR Labs.
Timeline
Aug 13, 2019
Adobe patches CVE-2019-8010 and CVE-2019-8011 in APSB19-41
Adobe released fixes for CVE-2019-8010 and CVE-2019-8011, addressing the out-of-bounds read vulnerabilities in Reader DC's 3D PDF rendering components. The patch was published in Adobe advisory APSB19-41.
May 7, 2019
STAR Labs reports Adobe Reader DC 3D content flaws to Adobe
STAR Labs notified Adobe of two out-of-bounds read vulnerabilities, CVE-2019-8010 and CVE-2019-8011, affecting Adobe Reader DC 2019.010.20099 in the 2d.x3d/rt3d 3D content handling path. The issues could be triggered by crafted embedded U3D content with malformed external texture references when 3D content display is enabled.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Adobe Reader DC patched 3D PDF memory corruption flaws in U3D texture handling
Adobe patched two memory corruption vulnerabilities in **Adobe Reader DC 2019.010.20064** affecting the rendering of **3D content embedded in PDF files**. Tracked as `CVE-2019-7119` and `CVE-2019-7120`, the flaws were found in the `2d.x3d` and related `rt3d` processing path used for **ECMA-363 Universal 3D (U3D)** resources and external texture images. One bug allowed an **arbitrary out-of-bounds write** in `TRGB::Read()` and was observed crashing through `2d!png_set_filter_heuristics`, while the other involved an out-of-bounds condition in `TIF::Read()` tied to `_LoadILBM()`, reported as an out-of-bounds read at crash time but patched by Adobe as an **out-of-bounds write**. The vulnerabilities could be triggered with a crafted U3D file that manipulated texture metadata and referenced external image files, including `.iff` content, causing memory corruption when a user enabled 3D content display in a PDF. The exposure was not present in a default configuration unless **3D PDF rendering** was enabled, but organizations that regularly exchange **CAD and other 3D documents** faced higher risk. Adobe addressed both issues in advisory **`APSB19-17`** after coordinated disclosure from STAR Labs.
3 weeks ago
Foxit Reader U3D Parsing Flaws Allowed Code Execution via Malicious PDFs
Foxit Reader contained two memory-corruption vulnerabilities in the `U3DBrowser` plug-in used to render embedded 3D annotations in PDF files, allowing attackers to trigger heap corruption with specially crafted PDF content. **CVE-2019-6983** stemmed from a malformed U3D File Header Block that caused an allocation-size miscalculation through a casting error, followed by an oversized `fread()` into a much smaller heap buffer. **CVE-2019-6982** involved a malformed U3D CLOD Mesh Declaration Block with invalid Inverse Quantization values, producing an 8-byte out-of-bounds heap write beyond a `malloc`-allocated buffer. The flaws affected Foxit Reader 9.x builds, including version `9.1.0.5096` with `U3DBrowser.fpi 9.1.0.425` and version `9.0.1.1049` with `U3DBrowser.fpi 9.0.1.994`. In both cases, successful exploitation could lead to arbitrary code execution in the context of the logged-on user when a victim opened a malicious PDF containing crafted 3D content. Foxit was notified of the issues and released fixes on January 3, 2019, later acknowledging the vulnerabilities in its security bulletins.
3 weeks ago
Adobe Acrobat and Reader JavaScript Use-After-Free Flaws Patched
Adobe patched two use-after-free vulnerabilities in **Acrobat** and **Reader** that were triggered through JavaScript embedded in malicious PDF files. One flaw, tracked as `CVE-2020-3800`, affected the shared `AcroForm.api` plugin and the `xfa.loadXML` method, where malformed XML supplied through JavaScript caused a crash in Acrobat DC on Windows 10. STAR Labs said the bug was reproduced in Acrobat DC `2019.008.20064`, with the vulnerable component identified as `AcroForm.api` version `19.012.20040.17853`, and Adobe addressed it in security advisory `APSB20-13`. A separate flaw, `CVE-2019-16452`, affected Acrobat and Reader DC `2019.012.20035` and earlier through the `getSound()` JavaScript method. Researchers found inconsistent handling of sound-name string objects between a cache dictionary and a JavaScript object's private data, leaving a stale pointer after `toString()` changed the object's representation. STAR Labs reported that a crafted PDF could potentially turn the bug into code execution inside Adobe's sandbox with careful memory manipulation, and Adobe fixed the issue in bulletin `APSB19-55`.
3 weeks ago