CVE-2025-55780 PoC — MuPDF 安全漏洞

Source

https://github.com/ISH2YU/CVE-2025-55780

Associated Vulnerability

Title:MuPDF 安全漏洞 (CVE-2025-55780)
Description:MuPDF是MuPDF开源的一款以 C 语言编写的自由及开放源代码软件库。用以渲染页面为位图，但也提供对其他操作诸如搜索和列举目录和链接的支持。 MuPDF 1.26.4版本存在安全漏洞，该漏洞源于break_word_for_overflow_wrap函数未检查node->next有效性，可能导致空指针取消引用。

Description

Null Pointer De-reference in MUPDF 1.26.4

Readme

# CVE-2025-55780
Null Pointer De-reference in MuPDF 1.26.4 EPUB Rendering Function

CVE Reference - [CVE-2025-55780](https://www.cve.org/CVERecord?id=CVE-2025-55780)

Affected Versions : 1.26.7 and before are affected

Found and tested on : 1.26.4 

Severity CVSSv3 score : 7.5 ( High )

Fixed in commit :
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=bdd5d241748807378a78a622388e0312332513c5

Bugzilla : https://bugs.ghostscript.com/show_bug.cgi?id=708720

Crash Location :-
```
(1a44.55c0): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

mupdf!break_word_for_overflow_wrap+0x243:

00007ff7`6dbf2a23 8b00            mov     eax,dword ptr [rax] ds:00000000`00000000=????????
```

Fix :-
 Fix NULL dereference in HTML layout.

    If we have a single flow node that is too large to fit in the
    available width, and we are using the "overflow-wrap:break-word"
    CSS style, then we attempt to break the flow node into smaller
    pieces so that it can wrap nicely.

    We do this by walking the flow node text to break it into clusters;
    we want to break at cluster level rather than character level to
    avoid problems with shaping.

    For right to left text, the clusters come in the opposite order to
    expected and the existing logic goes wrong.

    This can lead to the splitting code not actually splitting anything
    which in turn can lead to node->next being NULL, and us attempting
    to dereference NULL.

    The fix is to split differently for right 2 left text.

    While investigating this, an additional problem was spotted, namely
    that the way we were calling harfbuzz meant that it didn't group
    clusters together as we expected. Accordingly, we extend the code
    here so that our 'string_walker' can call harfbuzz in 'grapheme'
    cluster mode rather than 'character' cluster node.



    Using that, we then update the code to walk the returned fragments
    of the string, breaking the code at the correct position for the
    required space, with care taken to cope correctly with both l2r and
    r2l text.

#### References 

https://nvd.nist.gov/vuln/detail/CVE-2025-55780

https://www.tenable.com/cve/CVE-2025-55780

https://ubuntu.com/security/CVE-2025-55780

https://cvefeed.io/vuln/detail/CVE-2025-55780

https://osv.dev/vulnerability/UBUNTU-CVE-2025-55780

https://cve.akaoma.com/cve-2025-55780

https://vulners.com/cve/CVE-2025-55780

https://bugzilla.redhat.com/show_bug.cgi?id=2397702

https://github.com/advisories/GHSA-756h-grq9-2jvh

https://www.tenable.com/plugins/nessus/266050

https://security-tracker.debian.org/tracker/CVE-2025-55780

https://access.redhat.com/security/cve/cve-2025-55780

https://www.wiz.io/vulnerability-database/cve/cve-2025-55780

https://security.snyk.io/vuln/SNYK-UNMANAGED-MUPDF-13058631

https://feedly.com/cve/CVE-2025-55780

https://vulners.com/cve/CVE-2025-55780

https://vulmon.com/vulnerabilitydetails?qid=CVE-2025-55780&sortby=bydate

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116254

File Snapshot


 [4.0K]  /data/pocs/27667b34263c20fb479328accbc22a5dddb383a1
├── [1.0K]  LICENSE
└── [3.1K]  README.md

1 directory, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!