SumatraPDF Heap Out-of-Bounds Read Vulnerability in MOBI HuffDic Decompressor

A heap out-of-bounds read vulnerability has been identified in SumatraPDF versions through 3.5.2, specifically within the MOBI HuffDic decompressor. The issue arises because the bounds check in the 'AddCdicData()' function only verifies half the range that 'DecodeOne()' accesses. This flaw allows a crafted .mobi file to read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, resulting in a crash.

Impact

Exploitation of this vulnerability leads to a heap out-of-bounds read, causing SumatraPDF to crash. This type of memory corruption can often be exploited to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by opening a crafted .mobi file with SumatraPDF. The file should be prepared to exploit the bounds check flaw by using a 'codeLength' that allows 'DecodeOne()' to read beyond the dictionary buffer. After creating this file, it can be opened in SumatraPDF to trigger the crash.

Remediation

Users can update to the latest version of SumatraPDF, where this vulnerability has been fixed.