关联漏洞
标题:
MuPDF 安全漏洞
(CVE-2025-55780)
描述:MuPDF是MuPDF开源的一款以 C 语言编写的自由及开放源代码软件库。用以渲染页面为位图,但也提供对其他操作诸如搜索和列举目录和链接的支持。 MuPDF 1.26.4版本存在安全漏洞,该漏洞源于break_word_for_overflow_wrap函数未检查node->next有效性,可能导致空指针取消引用。
描述
Null Pointer De-reference in MUPDF 1.26.4
介绍
# CVE-2025-55780
Null Pointer De-reference in MUPDF 1.26.4 EPUB Rendering Function
Affected Versions : 1.26.7 and before are affected
Found and tested on : 1.26.4
Fixed in commit : https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=bdd5d241748807378a78a622388e0312332513c5
Bugzilla : https://bugs.ghostscript.com/show_bug.cgi?id=708720
Crash Location :-
```
(1a44.55c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
mupdf!break_word_for_overflow_wrap+0x243:
00007ff7`6dbf2a23 8b00 mov eax,dword ptr [rax] ds:00000000`00000000=????????
```
Fix :-
Fix NULL dereference in HTML layout.
If we have a single flow node that is too large to fit in the
available width, and we are using the "overflow-wrap:break-word"
CSS style, then we attempt to break the flow node into smaller
pieces so that it can wrap nicely.
We do this by walking the flow node text to break it into clusters;
we want to break at cluster level rather than character level to
avoid problems with shaping.
For right to left text, the clusters come in the opposite order to
expected and the existing logic goes wrong.
This can lead to the splitting code not actually splitting anything
which in turn can lead to node->next being NULL, and us attempting
to dereference NULL.
The fix is to split differently for right 2 left text.
While investigating this, an additional problem was spotted, namely
that the way we were calling harfbuzz meant that it didn't group
clusters together as we expected. Accordingly, we extend the code
here so that our 'string_walker' can call harfbuzz in 'grapheme'
cluster mode rather than 'character' cluster node.
Using that, we then update the code to walk the returned fragments
of the string, breaking the code at the correct position for the
required space, with care taken to cope correctly with both l2r and
r2l text.
文件快照
[4.0K] /data/pocs/27667b34263c20fb479328accbc22a5dddb383a1
├── [1.0K] LICENSE
└── [2.0K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。