We can easily reproduce this bug on version 5.0.7 and 5.0.5 on Slackware
Linux and Phoenix and Mozilla browsers. You can choose Netscape or NCSA
compatibile browser in Adobe preferences, and WWWLaunchNetscape and
WWWLaunchNCSA functions.
You should not have problem with this bug. It is quite simple to
reproduce. Just create .pdf file with long link, execute adobe, open
this file, then attach to it using gdb, put breakpoint on
WWWLaunchNetscape and click on link. There is loop in this function that
do something like this:
while(*src != '\0')
*dst++ = *src++;
As you can see there is no bounds checking.
best regards
--
sec-labs team [http://sec-labs.hack.pl]
--
sec-labs team [http://sec-labs.hack.pl]
--
sec-labs team [http://sec-labs.hack.pl]
Attachment:
pgp00372.pgp
Description: PGP signature
