When opening the x.pdf file (at the end of this post) in Foxit Reader, it will show a popup indicating PDF file is corrupted.


Clicking on the OK button will lead to the following crash IDA

The problem occurs because after the button is clicked, some structure allocated on the heap has been Freed, but the pointer is not cleared and reused later then led to crash.

If attacker can manage to reallocate the heap before reused, he can execute arbitrary code under the context of Foxit Reader. (Currently, I have managed to double free the heap address so you can try :) This is just a 1day bug so I’m not digging more)