Full title: Adobe Reader 10.1.4 JP2KLib&CoolType WriteAV Vulnerability 
Category: dos / poc
Platform: windows
The parsing routine is really complicated :D
Write AV by some kind of not properly initialized array
But the parameters of memmove, the counter
And destiny pointer seems controllable with data from flatedecoded data.
The wierd thing is the stream encoded with flatedecode can't decode properly
via zlib.decompress, but Adobe seems decode it correctly,
The esi points to a 0x10 length buffer, which contains word or dword calculated
from decoded data, after some integrity checks, it'll reach the memove.

# 0day.today @ http://0day.today/