SSD Advisory – Iceni Infix Multiple Crashes

Crashes Summary
An independent security researcher has reported 36 different crashes in Iceni Infix. We decided to publish 1 sample out of the 36 crashes – if you want to get the remaining 35 crashes, please contact us via email ssd [at] beyondsecurity (dot) com.
“Infix PDF Editor and Infix PDF Editor Pro is popular PDF editing software that can be used to edit PDF text. The program is very simple to use when you want to edit the text size, font, font color and more. You can also use Infix PDF Editor to edit whole paragraphs of the PDF document or even completely reformat the text.
Infix works like a normal word processor, so it’s really easy to use. It’s easy and quick – change text, fonts, images and more. No interface gimmicks, no ribbons!”
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
Iceni has released patches to address these crashes “We have resolved these issues in Infix version 7.1.4 which is the current release.”

Crash example – infix.exe+0x29C59F Access violation while writing reserved but unallocated memory
Binary information

    Loaded symbol image file: d:\Iceni\Infix7\Infix.exe
    Image path: Infix.exe
    Image name: Infix.exe
    Timestamp:        Fri Aug 05 12:52:59 2016 (57A4700B)
    CheckSum:         00D1F697
    ImageSize:        00D33000
    File version:     7.0.3.0
    Product version:  7.0.3.0
    File flags:       20 (Mask 3F) Special
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Iceni Technology Limited
    ProductName:      Infix
    ProductVersion:   7.0.3.0
    FileVersion:      7.0.3.0
    FileDescription:  Infix
    LegalCopyright:   Copyright  2016 Iceni Technology Ltd.

Stack

Infix.exe + 0x29C59F (id: 271)
Infix.exe + 0x29C3E1 (id: 2e7)
Infix.exe + 0x29AEB8
Infix.exe + 0x29B158
Infix.exe + 0x29A7D8
Infix.exe + 0x240F85
Infix.exe + 0x2408F5
Infix.exe + 0x2350FA
Infix.exe + 0x235175
Infix.exe + 0x236029
Infix.exe + 0x1A3272
Infix.exe + 0x1A6EB8
Infix.exe + 0x15D3BE
Infix.exe + 0x15D332
Infix.exe + 0x1B4F1F
Infix.exe + 0x16EF52
Infix.exe + 0x15D003
Infix.exe + 0x15D2BB
Infix.exe + 0x7441D
Infix.exe + 0x7411A

Registers

eax=003ad870 ebx=06ea0df8 ecx=e6777a7f edx=00000000 esi=fffdfeff edi=00000050
eip=0066c59f esp=003ad860 ebp=003ad8b0 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
fpcw=027F: rn 53 puozdi  fpsw=0120: top=0 cc=0001 --p-----  fptw=FFFF
fopcode=0000  fpip=0000:007e92b2  fpdp=0000:003ad550
st0=-1.#SNAN0000000000000000e+0000  st1= 1.572516000000000024880e+0000
st2= 1.030792152334980468750e+0011  st3= 6.553500000000000000000e+0004
st4= 1.030792151040000000000e+0011  st5= 5.400000000000000000000e+0001
st6= 3.100000000000000000000e+0002  st7= 1.230800000000000000000e+0004
mm0=000000ff00ff00ff  mm1=c948344c37e6f800
mm2=c00000040bfc0000  mm3=ffff000000000000
mm4=c000000000000000  mm5=d800000000000000
mm6=9b00000000000000  mm7=c050000000000000
xmm0=0 0 0 0
xmm1=-4.693e+034 -1.15741e+033 1.17955e-021 -5.29663e-029
xmm2=6.47301e-032 1.1341e-026 -1.48241e-015 -8.51349e-039
xmm3=4.49737e+012 8.63753e-021 2.71777e-018 4.53886e-029
xmm4=-5.05954e-033 -5.83838e-030 -5.33211e+011 1.87831e+018
xmm5=-6.38821e-023 -1.2114e-026 -2.21391e+034 -2.6204e+022
xmm6=-1.52191e-027 -1.45382e-020 -2.05735e-029 -7.57234e+037
xmm7=-8.75221e-020 -2.46577e+011 3.37054e-018 4.36897e+015
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
Infix+0x29c59f:
0066c59f c64435c000      mov     byte ptr [ebp+esi-40h],0   ss:002b:0038d76f=??

Disassembly of stack frame 1 at Infix.exe + 0x29C59F

0066c546 8104bb79feffff  add     dword ptr [ebx+edi*4],0FFFFFE79h
0066c54d 8b0e            mov     ecx,dword ptr [esi]
0066c54f 8b04bb          mov     eax,dword ptr [ebx+edi*4]
0066c552 8b748104        mov     esi,dword ptr [ecx+eax*4+4]
0066c556 8d0481          lea     eax,[ecx+eax*4]
0066c559 8b08            mov     ecx,dword ptr [eax]
0066c55b 2bf1            sub     esi,ecx
0066c55d 8955bc          mov     dword ptr [ebp-44h],edx
0066c560 3bf2            cmp     esi,edx
0066c562 7e38            jle     Infix+0x29c59c (0066c59c)
0066c564 8b55b4          mov     edx,dword ptr [ebp-4Ch]
0066c567 8b4204          mov     eax,dword ptr [edx+4]
0066c56a 8d4c08ff        lea     ecx,[eax+ecx-1]
0066c56e 894db8          mov     dword ptr [ebp-48h],ecx
0066c571 8b55b8          mov     edx,dword ptr [ebp-48h]
0066c574 8a02            mov     al,byte ptr [edx]
0066c576 e805a0f7ff      call    Infix+0x216580 (005e6580)
0066c57b 85c0            test    eax,eax
0066c57d 741a            je      Infix+0x29c599 (0066c599)
0066c57f 8b4db8          mov     ecx,dword ptr [ebp-48h]
0066c582 8b45bc          mov     eax,dword ptr [ebp-44h]
0066c585 8a11            mov     dl,byte ptr [ecx]
0066c587 885405c0        mov     byte ptr [ebp+eax-40h],dl
0066c58b 40              inc     eax
0066c58c 41              inc     ecx
0066c58d 8945bc          mov     dword ptr [ebp-44h],eax
0066c590 894db8          mov     dword ptr [ebp-48h],ecx
0066c593 3bc6            cmp     eax,esi
0066c595 7cda            jl      Infix+0x29c571 (0066c571)
0066c597 eb03            jmp     Infix+0x29c59c (0066c59c)
0066c599 8b75bc          mov     esi,dword ptr [ebp-44h]
0066c59c 8d45c0          lea     eax,[ebp-40h]
Infix+0x29c59f:
0066c59f c64435c000      mov     byte ptr [ebp+esi-40h],0 // current instruction
0066c5a4 e8f7c1f1ff      call    Infix+0x1b87a0 (005887a0)
0066c5a9 8945bc          mov     dword ptr [ebp-44h],eax
0066c5ac 8b45b4          mov     eax,dword ptr [ebp-4Ch]
0066c5af 8b4810          mov     ecx,dword ptr [eax+10h]
0066c5b2 8b14b9          mov     edx,dword ptr [ecx+edi*4]
0066c5b5 52              push    edx
0066c5b6 8d75c0          lea     esi,[ebp-40h]
0066c5b9 e8b2d1eaff      call    Infix+0x149770 (00519770)
0066c5be 8b4dfc          mov     ecx,dword ptr [ebp-4]
0066c5c1 8104bb87010000  add     dword ptr [ebx+edi*4],187h
0066c5c8 8b45bc          mov     eax,dword ptr [ebp-44h]
0066c5cb 83c404          add     esp,4
0066c5ce 33cd            xor     ecx,ebp
0066c5d0 5e              pop     esi
0066c5d1 e8f84c1700      call    Infix+0x4112ce (007e12ce)

Disassembly of stack frame 2 at Infix.exe + 0x29C3E1

0066c37d 7e36            jle     Infix+0x29c3b5 (0066c3b5)
0066c37f 90              nop
0066c380 680842ca00      push    offset Infix+0x8d4208 (00ca4208)
0066c385 b83c000000      mov     eax,3Ch
0066c38a e8115bebff      call    Infix+0x151ea0 (00521ea0)
0066c38f 8b4dcc          mov     ecx,dword ptr [ebp-34h]
0066c392 8b5110          mov     edx,dword ptr [ecx+10h]
0066c395 8904ba          mov     dword ptr [edx+edi*4],eax
0066c398 8b4110          mov     eax,dword ptr [ecx+10h]
0066c39b 8b0cb8          mov     ecx,dword ptr [eax+edi*4]
0066c39e 83c404          add     esp,4
0066c3a1 51              push    ecx
0066c3a2 bed8fac700      mov     esi,offset Infix+0x8afad8 (00c7fad8)
0066c3a7 e8c4d3eaff      call    Infix+0x149770 (00519770)
0066c3ac 47              inc     edi
0066c3ad 83c404          add     esp,4
0066c3b0 3b7ddc          cmp     edi,dword ptr [ebp-24h]
0066c3b3 7ccb            jl      Infix+0x29c380 (0066c380)
0066c3b5 8b45c8          mov     eax,dword ptr [ebp-38h]
0066c3b8 8b4dc0          mov     ecx,dword ptr [ebp-40h]
0066c3bb 8d55d0          lea     edx,[ebp-30h]
0066c3be 52              push    edx
0066c3bf 50              push    eax
0066c3c0 51              push    ecx
0066c3c1 e8aa88f1ff      call    Infix+0x1b4c70 (00584c70)
0066c3c6 be01000000      mov     esi,1
0066c3cb 83c40c          add     esp,0Ch
0066c3ce 3975d8          cmp     dword ptr [ebp-28h],esi
0066c3d1 0f8ee3000000    jle     Infix+0x29c4ba (0066c4ba)
0066c3d7 8b4dcc          mov     ecx,dword ptr [ebp-34h]
0066c3da 8bfe            mov     edi,esi
0066c3dc e8ff000000      call    Infix+0x29c4e0 (0066c4e0) // call
Infix+0x29c3e1:
0066c3e1 8b55c4          mov     edx,dword ptr [ebp-3Ch] // return address
0066c3e4 8b0cb2          mov     ecx,dword ptr [edx+esi*4]
0066c3e7 8d55d0          lea     edx,[ebp-30h]
0066c3ea 52              push    edx
0066c3eb 50              push    eax
0066c3ec 8b45c0          mov     eax,dword ptr [ebp-40h]
0066c3ef 50              push    eax
0066c3f0 894dd4          mov     dword ptr [ebp-2Ch],ecx
0066c3f3 c645d003        mov     byte ptr [ebp-30h],3
0066c3f7 e87488f1ff      call    Infix+0x1b4c70 (00584c70)
0066c3fc 46              inc     esi
0066c3fd 83c40c          add     esp,0Ch
0066c400 3b75d8          cmp     esi,dword ptr [ebp-28h]
0066c403 7cd2            jl      Infix+0x29c3d7 (0066c3d7)
0066c405 e9b0000000      jmp     Infix+0x29c4ba (0066c4ba)
0066c40a b8802fbf00      mov     eax,offset Infix+0x822f80 (00bf2f80)