إرسال #839637: Investintech SlimPDFReader 2.0.14 Out-of-bounds readالمعلومات

عنوان	Investintech SlimPDFReader 2.0.14 Out-of-bounds read
الوصف	# Vulnerability 2: Out-of-bounds read in SlimPDFReader 2.0.14 CVE: TBA Date: 2026-04-09 ## Product Information - Product: `SlimPDFReader.exe` - Version: `2.0.14` Timeline 2026-04-10: Sent the report to `https://apryse.com/form/report-vulnerability` 2026-04-21: Vendor responded with a note that the product is discontinued ## Summary SlimPDFReader contains an out-of-bounds read in a string-handling routine. The crash occurs when the code calls `strlen` on a caller-supplied pointer and continues scanning past the accessible buffer while searching for a NUL terminator, eventually raising an access violation on an unmapped page. Attackers could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information. ## Vulnerability Analysis The WinDbg stack shows the caller passing `a2=622bd000` into `sub_A3CA60`, and the faulting read happens at the next page boundary `622bd000`. This shows that the code reads past the accessible region while searching for the terminator. WinDbg stopped on a first-chance access violation: - Exception code: `0xc0000005` - Faulting instruction: `mov al, byte ptr [edx]` - Bad address: `622bd000` - Access type: read The decompiled crash function in IDA Pro is: ```c void __thiscall sub_A3CA60(unsigned int this, const char a2) { v2 = a2; v4 = strlen(a2); ... do { v9 = v2++; v2[v8 - 1] = v9; } while ( v9 ); } ``` This shows that the crash happens at the initial `strlen(a2)` call before the copy loop starts. The caller chain visible in the stack and IDA is: - `sub_A4F5A0` calls `sub_A3CAF0` at `0x00a4f6e1` - `sub_A3CAF0` calls `sub_A3CA60` at `0x00a3cbdc` `sub_A3CAF0`at `00A3CBDC` forwards the string pointer directly to `sub_A3CA60`: ```c sub_A3CA60((unsigned int )((_DWORD )this + 4 (_DWORD )(this + 8)), a2); ``` At the crash, The value of `a2` passed to `sub_A3CA60` function was `622bd000`. `strlen` read from outside the boundery and then crashed at the next page boundary. The root cause is that the input is treated as a trusted C string without validating that it is properly terminated within readable bounds. ## POC Open the attached PDF file with `SlimPDFReader.exe`. - POC download link: https://sharing.sit.fraunhofer.de/s/Z3XricFqBK32M5T (please do not add this in the public CVE report) - Link Password: Slimpdf12345$@ ## Stack Trace 0:018> kv 10 # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 7232e930 00a3cbe1 622bce10 7c72fa10 72e24de0 SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0 01 7232e948 00a4f6e6 622bce10 00000001 7dbd709a SlimPDFReader!Investintech::PCV::TeighaDo+0x25cf51 02 7232e97c 00a57fba 012124f0 67636fd8 757eb608 SlimPDFReader!Investintech::PCV::TeighaDo+0x26fa56 03 7232ebdc 00a407f5 7232ef74 6493ae90 012124f0 SlimPDFReader!Investintech::PCV::TeighaDo+0x27832a 04 7232eddc 00910250 6493ae90 18276ff0 00000000 SlimPDFReader!Investintech::PCV::TeighaDo+0x260b65 05 7232ee50 00d4846c 7f55d028 00000190 0000010b SlimPDFReader!Investintech::PCV::TeighaDo+0x1305c0 06 7232efa4 00d47a84 757b9388 7582a480 757b9648 SlimPDFReader!FT_Library_SetLcdFilterWeights+0x12ab1c 07 7232f158 00cbd227 757b9388 7582a480 757b9648 SlimPDFReader!FT_Library_SetLcdFilterWeights+0x12a134 08 7232f340 77def27e 77d573c0 77d5711c 77d560be SlimPDFReader!FT_Library_SetLcdFilterWeights+0x9f8d7 ## WinDbg Analysis 0:018> r eax=000000c0 ebx=72e24948 ecx=622bce11 edx=622bd000 esi=622bce10 edi=05c6ab90 eip=00a3ca70 esp=7232e928 ebp=7232e930 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0: 00a3ca70 8a02 mov al,byte ptr [edx] ds:002b:622bd000=?? 0:018> !analyze -v EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 00a3ca70 (SlimPDFReader!Investintech::PCV::TeighaDo+0x0025cde0) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 622bd000 Attempt to read from address 622bd000 FAULTING_THREAD: 2d50 PROCESS_NAME: SlimPDFReader.exe READ_ADDRESS: 622bd000 ERROR_CODE: (NTSTATUS) 0xc0000005 EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 622bd000 ## Impact Attackers could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information
المستخدم	jonzab (UID 97521)
ارسال	27/05/2026 06:06 PM (1 شهر منذ)
الاعتدال	28/06/2026 09:44 AM (1 month later)
الحالة	تمت الموافقة
إدخال VulDB	374530 [Investintech SlimPDFReader حتى 2.0.14 PDF File SlimPDFReader.exe TeighaDo+0x25cde0 الكشف عن المعلومات]
النقاط	17

التالي ▸نظرة عامة ◂ السابق

Do you want to use VulDB in your project?

Use the official API to access entries easily!