提交 #809300: Investintech SlimPDFReader 2.0.14 Stack overflow (Infinite Recursion)信息

标题Investintech SlimPDFReader 2.0.14 Stack overflow (Infinite Recursion)
描述# Vulnerability 1: Stack overflow (Infinite Recursion) in SlimPDFReader 2.0.14 Date: 2026-04-08 Time tracking 2026-04-10: Sent the report to `https://apryse.com/form/report-vulnerability` 2026-04-21: Vendor responded with a note that the product is discontinued ## Product Information - Product: `SlimPDFReader.exe` - Version: `2.0.14` ## Summary SlimPDFReader contains a stack overflow vulnerability caused by recursive re-entry in `sub_3B4610`. The function is invoked repeatedly until the stack is exhausted, and the process crashes with exception 0xc00000fd when `sub_3BFD80` attempts to reserve additional stack space during function entry. This vulnerability can be used to cause a denial of service. ## Vulnerability Analysis SlimPDFReader contains a stack exhaustion vulnerability caused by uncontrolled recursive re-entery inside `sub_3B4610` function. The stack trace showed repeated returns to `add esp, 8` (SlimPDFReader!Investintech::PCV::TeighaDo+0x1f4afa) in function `sub_3B4610`, which is consistent with recursive re-entery leading to stack exhaustion. Disassembly: mov byte ptr [ebp-4], 0 call 003B4610 add esp, 8 The immediate crash occurs during function entry for a helper at `sub_3BFD80` (`SlimPDFReader!Investintech::PCV::TeighaDo+0x200111`), whose prologue reserves additional stack space with `sub esp,104h`. That additional stack usage is enough to overflow the nearly exhausted thread stack and raise `0xc00000fd`. Disassembly: .text:003BFD9E mov [ebp+var_10], eax .text:003BFDA1 push ebx # < crash happens here .text:003BFDA2 push esi .text:003BFDA3 push edi .text:003BFDA4 push eax ## POC Open the attached pdf poc with SlimPDFReader.exe - POC download link: https://sharing.sit.fraunhofer.de/s/RYcqZbGqgZXxab2 - Link Password: Slimpdf12345$@ ## Stack trace ``` 0:012> kv # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 0b973078 003b4668 5d14f223 00000000 101a1e20 SlimPDFReader!Investintech::PCV::TeighaDo+0x200111 01 0b9731dc 003b478a 00bf24e8 10061838 5d14f0b7 SlimPDFReader!Investintech::PCV::TeighaDo+0x1f49d8 02 0b973348 003b478a 00bf24e8 10061838 5d14f74b SlimPDFReader!Investintech::PCV::TeighaDo+0x1f4afa 03 0b9734b4 003b478a 00bf24e8 10061838 5d14f5df SlimPDFReader!Investintech::PCV::TeighaDo+0x1f4afa 04 0b973620 003b478a 00bf24e8 10061838 5d14f473 SlimPDFReader!Investintech::PCV::TeighaDo+0x1f4afa 05 0b97378c 003b478a 00bf24e8 10061838 5d14fb07 SlimPDFReader!Investintech::PCV::TeighaDo+0x1f4afa 06 0b9738f8 003b478a 00bf24e8 10061838 5d14f99b SlimPDFReader!Investintech::PCV::TeighaDo+0x1f4afa ``` ## Windbg Analysis ``` > !analyze -v ******************************************************************************* EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 003bfda1 (SlimPDFReader!Investintech::PCV::TeighaDo+0x00200111) ExceptionCode: c00000fd (Stack overflow) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 0b8c2fbc FAULTING_THREAD: 1fe8 PROCESS_NAME: SlimPDFReader.exe RECURRING_STACK: From frames 0x1 to 0x1 ERROR_CODE: (NTSTATUS) 0xc00000fd EXCEPTION_CODE_STR: c00000fd EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 0b8c2fbc ``` ## Security Impact This is vulnerability allows attackers to cause a denial-of-service.
用户
 jonzab (UID 97521)
提交2026-04-21 22時17分 (1 月前)
管理2026-05-16 12時24分 (25 days later)
状态已接受
VulDB条目364321 [Investintech SlimPDFReader 直到 2.0.13 SlimPDFReader.exe sub_3B4610 内存损坏]
积分17

上一步一览下一步

Want to stay up to date on a daily basis?

Enable the mail alert feature now!