MuPDF Barcode Decoding Double-Free Vulnerability

A double-free vulnerability has been identified in MuPDF versions 1.23.0 through 1.27.0. The issue arises in the function 'fz_fill_pixmap_from_display_list()' when an exception occurs during the rendering of the display list. This function takes a caller-owned 'fz_pixmap' pointer but improperly frees the pixmap in its error handling process before rethrowing the exception. As a result, when callers, including 'fz_decode_barcode_from_display_list', attempt to clean up by dropping the same pixmap, it leads to a double-free situation. This vulnerability can corrupt the heap and cause the application to crash, particularly in scenarios where MuPDF's barcode decoding feature is used.

Impact

Exploitation of this vulnerability causes heap corruption and crashes the application, leading to a denial-of-service condition. However, such a double-free vulnerability could potentially be exploited to execute arbitrary code, depending on the memory allocator used by the application.

Reproduction

The vulnerability can be reproduced by using the 'mutool' command-line tool that comes with MuPDF, specifically through its JavaScript API. This involves creating a PDF file that triggers an out-of-memory error during the processing of a barcode, which then activates the vulnerable code path, leading to the double-free condition.

Remediation

The vulnerability has been fixed in MuPDF version 1.27.1. Users should upgrade to this version to address the issue.