DjVuLibre Out-of-Bounds Write Vulnerability in MMRDecoder Allowing Code Execution

A vulnerability has been identified in DjVuLibre versions prior to 3.5.29, specifically within the MMRDecoder::scanruns method. This out-of-bounds write vulnerability arises because the method fails to ensure that the 'xr' pointer remains within the limits of the allocated buffer. Consequently, this oversight can lead to memory corruption, creating a condition that could be exploited for arbitrary code execution. The issue was discovered through fuzzing and is particularly concerning because DjVuLibre is used by default document viewers on many Linux distributions, such as Evince and Papers. Exploitation of this vulnerability can bypass standard security protections and is demonstrated in a proof-of-concept video.

Impact

Exploitation of this vulnerability can lead to arbitrary code execution on the affected system.

Reproduction

The vulnerability can be reproduced by opening a crafted DjVu file with a .pdf extension using the Evince or Papers document viewer on an Ubuntu 25.04 (x86_64) system. The file will be processed by DjVuLibre, which will decode it and trigger the out-of-bounds write vulnerability, resulting in code execution.

Remediation

Users can upgrade to DjVuLibre version 3.5.29 or later to address this vulnerability.