Artifex MuPDF Out-of-Bounds Read Vulnerability in CFF Index Handler

A heap out-of-bounds read vulnerability has been identified in Artifex MuPDF versions prior to 1.28.0. The issue arises in the CFF Index Handler, specifically within the function 'fz_subset_cff_for_gids' in the file 'subset-cff.c'. The vulnerability is caused by an off-by-one error in the validation of CFF INDEX offsets, allowing a crafted CFF to bypass checks and lead to out-of-bounds memory access. This vulnerability can be exploited locally and has been publicly disclosed, with an available proof-of-concept exploit.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, leading to a crash of the 'mutool clean' command when processing a crafted PDF. Additionally, there is a potential information leak, as 37 or more bytes of heap memory adjacent to the CFF allocation are copied into the output PDF's subsetted font stream, which could be accessed by the PDF consumer.

Reproduction

The vulnerability can be reproduced using the 'mutool' command-line tool, which is part of the MuPDF suite. After crafting a PDF that exploits the vulnerability by taking advantage of the flawed CFF INDEX validation, the 'mutool clean' command can be run with the crafted PDF as input. The AddressSanitizer will report a heap-buffer-overflow error, indicating that the out-of-bounds read has occurred.