Mupdf

A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain.

Published: 2025-09-23T00:00:00.000Z
Updated: 2025-09-25T14:47:03.426Z

An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion

Published: 2025-08-04T00:00:00.000Z
Updated: 2025-08-05T16:46:11.289Z

A flaw has been found in Artifex MuPDF up to 1.26.1 on Windows. The impacted element is the function get_system_dpi of the file platform/x11/win_main.c. This manipulation causes uncontrolled search path. The attack requires local access. The attack is considered to have high complexity. The exploitability is regarded as difficult. Upgrading to version 1.26.2 is sufficient to resolve this issue. Patch name: ebb125334eb007d64e579204af3c264aadf2e244. Upgrading the affected component is recommended.

Published: 2026-02-10T10:02:09.074Z
Updated: 2026-02-23T09:54:58.415Z

A Floating point exception (division-by-zero) flaw was found in Mupdf for zero width pages in muraster.c. It is fixed in Mupdf-1.20.0-rc1 upstream.

Published: 2022-08-26T15:25:43.000Z
Updated: 2024-08-03T17:16:04.307Z

A flaw was found in mupdf 1.18.0. Double free of object during linearization may lead to memory corruption and other potential consequences.

Published: 2021-02-23T22:04:15.000Z
Updated: 2025-02-13T16:28:22.945Z

MuPDF through 1.18.1 has an out-of-bounds write because the cached color converter does not properly consider the maximum key size of a hash table. This can, for example, be seen with crafted "mutool draw" input.

Published: 2021-07-21T21:02:04.000Z
Updated: 2024-08-04T01:16:03.758Z

Artifex MuPDF before 1.18.0 has a heap based buffer over-write when parsing JBIG2 files allowing attackers to cause a denial of service.

Published: 2020-10-02T05:34:12.000Z
Updated: 2024-08-04T15:56:04.698Z

Artifex MuPDF before 1.18.0 has a heap based buffer over-write in tiff_expand_colormap() function when parsing TIFF files allowing attackers to cause a denial of service.

Published: 2021-07-21T14:10:23.000Z
Updated: 2024-08-04T14:15:27.470Z

A Use After Free vulnerability exists in Artifex Software, Inc. MuPDF library 1.17.0-rc1 and earlier when a valid page was followed by a page with invalid pixmap dimensions, causing bander - a static - to point to previously freed memory instead of a newband_writer.

Published: 2020-12-09T21:06:55.000Z
Updated: 2024-08-04T13:45:33.192Z

Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_chartorune in fitz/string.c because pdf/pdf-op-filter.c does not check for a missing string.

Published: 2019-08-14T12:46:26.000Z
Updated: 2024-08-05T00:34:52.695Z

In Artifex MuPDF 1.12.0 and earlier, multiple use of uninitialized value bugs in the PDF parser could allow an attacker to cause a denial of service (crash) or influence program flow via a crafted file.

Published: 2018-05-24T13:00:00.000Z
Updated: 2024-08-05T12:33:48.855Z

In Artifex MuPDF 1.12.0 and earlier, multiple heap use after free bugs in the PDF parser could allow an attacker to execute arbitrary code, read memory, or cause a denial of service via a crafted file.

Published: 2018-05-24T13:00:00.000Z
Updated: 2024-08-05T12:33:48.769Z

In Artifex MuPDF 1.12.0 and earlier, a stack buffer overflow in function pdf_lookup_cmap_full in pdf/pdf-cmap.c could allow an attacker to execute arbitrary code via a crafted file.

Published: 2018-05-24T13:00:00.000Z
Updated: 2024-08-05T12:33:48.901Z

In Artifex MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser allow an attacker to cause a denial of service (assert crash) via a crafted file.

Published: 2018-05-24T13:00:00.000Z
Updated: 2024-08-05T12:33:48.754Z

In Artifex MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser allow an attacker to cause a denial of service (memory leak) via a crafted file.

Published: 2018-05-24T13:00:00.000Z
Updated: 2024-09-13T16:11:02.461Z

An issue was discovered in Artifex MuPDF before 1912de5f08e90af1d9d0a9791f58ba3afdb9d465. The pdf_run_xobject function in pdf-op-run.c encounters a NULL pointer dereference during a Fitz fz_paint_pixmap_with_mask painting operation. Versions 1.11 and later are unaffected.

Published: 2017-02-15T06:11:00.000Z
Updated: 2024-08-05T15:18:48.984Z

Heap-based buffer overflow in the fz_subsample_pixmap function in fitz/pixmap.c in MuPDF 1.10a allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted image.

Published: 2017-02-15T19:00:00.000Z
Updated: 2024-08-05T15:11:48.873Z

pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain length changes when a repair operation occurs during a clean operation, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted PDF document.

Published: 2017-12-23T17:00:00.000Z
Updated: 2024-08-05T21:06:49.375Z

The build_filter_chain function in pdf/pdf-stream.c in Artifex MuPDF before 2017-09-25 mishandles a certain case where a variable may reside in a register, which allows remote attackers to cause a denial of service (Fitz fz_drop_imp use-after-free and application crash) or possibly have unspecified other impact via a crafted PDF document.

Published: 2017-10-16T01:00:00.000Z
Updated: 2024-09-17T01:35:48.232Z

The pdf_to_num function in pdf-object.c in MuPDF before 1.10 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted file.

Published: 2017-02-15T21:00:00.000Z
Updated: 2024-08-06T02:27:41.259Z

Heap-based buffer overflow in the pdf_load_mesh_params function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a large decode array.

Published: 2016-09-22T15:00:00.000Z
Updated: 2024-08-06T01:29:20.214Z

Use-after-free vulnerability in the pdf_load_xref function in pdf/pdf-xref.c in MuPDF allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

Published: 2016-09-22T15:00:00.000Z
Updated: 2024-08-06T01:22:20.646Z

Stack-based buffer overflow in the xps_parse_color function in xps/xps-common.c in MuPDF 1.3 and earlier allows remote attackers to execute arbitrary code via a large number of entries in the ContextColor value of the Fill attribute in a Path element.

Published: 2014-03-03T16:00:00.000Z
Updated: 2024-08-06T09:58:16.235Z