Adobe Reader DC patched 3D PDF memory corruption flaws in U3D texture handling
Adobe patched two memory corruption vulnerabilities in Adobe Reader DC 2019.010.20064 affecting the rendering of 3D content embedded in PDF files. Tracked as CVE-2019-7119 and CVE-2019-7120, the flaws were found in the 2d.x3d and related rt3d processing path used for ECMA-363 Universal 3D (U3D) resources and external texture images. One bug allowed an arbitrary out-of-bounds write in TRGB::Read() and was observed crashing through 2d!png_set_filter_heuristics, while the other involved an out-of-bounds condition in TIF::Read() tied to _LoadILBM(), reported as an out-of-bounds read at crash time but patched by Adobe as an out-of-bounds write.
The vulnerabilities could be triggered with a crafted U3D file that manipulated texture metadata and referenced external image files, including .iff content, causing memory corruption when a user enabled 3D content display in a PDF. The exposure was not present in a default configuration unless 3D PDF rendering was enabled, but organizations that regularly exchange CAD and other 3D documents faced higher risk. Adobe addressed both issues in advisory APSB19-17 after coordinated disclosure from STAR Labs.
Timeline
Apr 9, 2019
Adobe releases APSB19-17 patch for CVE-2019-7119 and CVE-2019-7120
Adobe patched the two Adobe Reader DC vulnerabilities through advisory APSB19-17. The fixes addressed memory corruption issues in the 2d.x3d/rt3d processing path related to external texture image parsing in embedded 3D PDF content.
Feb 12, 2019
Adobe patches CVE-2019-7035 in APSB19-07
Adobe acknowledged and fixed CVE-2019-7035, an Adobe Reader DC 3D PDF parsing flaw involving external GIF texture handling in the 2d.x3d module. STAR Labs' advisory says the bug could cause an arbitrary one-byte XOR write in the sandboxed process when 3D content display was enabled.
Jan 25, 2019
STAR Labs reports Adobe Reader DC 3D parsing flaws to Adobe
STAR Labs notified Adobe of two vulnerabilities in Adobe Reader DC's 3D content handling path, later assigned CVE-2019-7119 and CVE-2019-7120. Both issues involved crafted U3D/external texture image processing and could lead to memory corruption when 3D PDF content was enabled.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
3 more from sources like starlabs sg
Related Stories
Adobe Reader DC 3D PDF Parsing Flaws Trigger Out-of-Bounds Reads
Adobe patched two out-of-bounds read vulnerabilities in **Adobe Reader DC** affecting version `2019.010.20099`, both tied to the `2d.x3d!_LoadTIFF()` processing path used to render embedded **U3D** 3D content inside PDF files. Tracked as `CVE-2019-8010` and `CVE-2019-8011`, the flaws can be triggered by a crafted PDF containing malformed external texture references in embedded 3D objects, causing the sandboxed Reader process to crash under the logged-on user context. The bugs affect Acrobat’s handling of ECMA-363 Universal 3D File Format resources, including external image and texture parsing such as PNG- and TIFF-related paths. The issue is not reachable in a default installation unless 3D content display is enabled, but it poses greater risk in environments that routinely exchange 3D PDFs, including CAD-heavy workflows where 3D viewing may be enabled by default. Adobe addressed both issues in advisory **`APSB19-41`** after coordinated disclosure by STAR Labs.
3 weeks ago
Foxit Reader U3D Parsing Flaws Allowed Code Execution via Malicious PDFs
Foxit Reader contained two memory-corruption vulnerabilities in the `U3DBrowser` plug-in used to render embedded 3D annotations in PDF files, allowing attackers to trigger heap corruption with specially crafted PDF content. **CVE-2019-6983** stemmed from a malformed U3D File Header Block that caused an allocation-size miscalculation through a casting error, followed by an oversized `fread()` into a much smaller heap buffer. **CVE-2019-6982** involved a malformed U3D CLOD Mesh Declaration Block with invalid Inverse Quantization values, producing an 8-byte out-of-bounds heap write beyond a `malloc`-allocated buffer. The flaws affected Foxit Reader 9.x builds, including version `9.1.0.5096` with `U3DBrowser.fpi 9.1.0.425` and version `9.0.1.1049` with `U3DBrowser.fpi 9.0.1.994`. In both cases, successful exploitation could lead to arbitrary code execution in the context of the logged-on user when a victim opened a malicious PDF containing crafted 3D content. Foxit was notified of the issues and released fixes on January 3, 2019, later acknowledging the vulnerabilities in its security bulletins.
3 weeks ago
Adobe Acrobat and Reader JavaScript Use-After-Free Flaws Patched
Adobe patched two use-after-free vulnerabilities in **Acrobat** and **Reader** that were triggered through JavaScript embedded in malicious PDF files. One flaw, tracked as `CVE-2020-3800`, affected the shared `AcroForm.api` plugin and the `xfa.loadXML` method, where malformed XML supplied through JavaScript caused a crash in Acrobat DC on Windows 10. STAR Labs said the bug was reproduced in Acrobat DC `2019.008.20064`, with the vulnerable component identified as `AcroForm.api` version `19.012.20040.17853`, and Adobe addressed it in security advisory `APSB20-13`. A separate flaw, `CVE-2019-16452`, affected Acrobat and Reader DC `2019.012.20035` and earlier through the `getSound()` JavaScript method. Researchers found inconsistent handling of sound-name string objects between a cache dictionary and a JavaScript object's private data, leaving a stale pointer after `toString()` changed the object's representation. STAR Labs reported that a crafted PDF could potentially turn the bug into code execution inside Adobe's sandbox with careful memory manipulation, and Adobe fixed the issue in bulletin `APSB19-55`.
3 weeks ago