Описание
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
A flaw was found in MuPDF. An attacker can exploit a double-free vulnerability in the fz_fill_pixmap_from_display_list() function by processing crafted input that causes a rendering-time error during barcode decoding. This can lead to heap corruption and a process crash, resulting in a Denial of Service (DoS).
Отчет
This MODERATE impact vulnerability in MuPDF affects applications that utilize its barcode decoding functionality. The flaw can be triggered when processing specially crafted input that causes a rendering error during barcode decoding, leading to a double-free and potential application crash. Red Hat products are affected if they enable and use MuPDF for barcode decoding.
Меры по смягчению последствий
To mitigate this issue, avoid processing untrusted or unverified input with applications that use MuPDF for barcode decoding. Restricting the sources of documents processed by MuPDF can reduce the risk of exploitation.
Ссылки на источники
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerabili ...
MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.
5.3 Medium
CVSS3