Artifex MuPDF 1.28 Heap-buffer-overflow in CFF Font Processing

### Vulnerability Overview **Vulnerability ID**: #802590 **Vulnerability Name**: Artifex MuPDF 1.28 Out-of-Bounds Read **Vulnerability Type**: Heap-buffer-overflow **Description**: In the `index_load()` function of `MuPDF`, when processing `CFF` fonts, if the `v_last` value returned by `index_load` is greater than `len`, it causes the `index_get()` function to read data beyond the allocated memory range. Specifically, `index_get()` will read `v_last` bytes returned by `index_load`, which may exceed the memory range allocated by `index_load`, resulting in a heap buffer overflow. ### Affected Scope - **Affected Versions**: Artifex MuPDF 1.28 and earlier versions - **Affected Component**: `CFF` font processing module ### Remediation - **Remediation Status**: Accepted - **Fixed Version**: Specific fixed version not yet provided - **Remediation Recommendation**: Add validation on the `v_last` value in the `index_load()` function to ensure it does not exceed `len`, thereby preventing reading beyond the allocated memory range. ### POC Code ```plaintext Heap out-of-bounds read in fz_subset_cff_for_gids via off-by-one in index_load validation index_load() in subset-cff.c validates that the last CFF INDEX offset does not exceed the total CFF buffer length, but the memory in do_subset() reads using absolute positions computed by index_get(), which adds the INDEX's data_offset. Since data_offset > 0 for any INDEX that does not begin at byte 0 of the CFF, a crafted CFF with v_last = len passes the validation check while index_get(count) = data_offset + len > len, causing do_subset() to memory past the end of the allocated CFF buffer. Version: 1.28.0 Commit: 8dd9cc0108c38c409f301361f83f11539c68ef Root cause (subset-cff.c, * index_load()), line 315 — "data_offset uses v_last = v if (v > len) fz_throw(ctx, FZ_ERROR_FORMAT, "Truncated index");" // index_load(), line 297 — data_offset absorbs the INDEX base position + index_offset = data_offset + offset; // offset > 0 always */ // index_get()), line 337 — absolute position adds data_offset back */ return index-data_offset + v; // " data_offset + len > len" // do_subset()), line 800 — reads using the OOB absolute position */ memcpy(strings + fill, &cfs->base[offset], end - offset); The check at line 315 compares the raw relative offset v against len (total CFF size), but index_get() returns data_offset + v (an absolute file position). With data_offset = 38 and v_last = len = 1040, index_get(count) = 1078, so do_subset() reads 1039 bytes starting at position 39 of a 1041-byte allocation, overflowing the heap right needle by 37 bytes. Run: ASAN_OPTIONS=abort_on_error=0 .../mutool clean -S poc_subset-cff_indexload_oob_read.pdf /tmp/poc_out.pdf Sanitizer output: ASAN_OPTIONS=abort_on_error=0 mutool clean -S poc_subset-cff_indexload_oob_read.pdf /tmp/poc_out.pdf 2>&1 | library error: F1_New_Memory_Face[TestCID]: unknown file format warning: ignored error when loading embedded font; attempting to load system font warning: non-embedded font using identity encoding: TestCID (mapping via TrueType-UCS2) /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x1694820) (BuildID: 530630f07b7959d003384841eb6ab346678434c6) #2 0xcbcb71154820 /home/user/Desktop/mupdf/mupdf/build/release/mutool+0x169

Goal Reached Thanks to every supporter — we hit 100%!

Artifex MuPDF 1.28 Heap-buffer-overflow in CFF Font Processing

More from this source