Null Pointer De-reference in MUPDF 1.26.4# CVE-2025-55780
Null Pointer De-reference in MuPDF 1.26.4 EPUB Rendering Function
CVE Reference - [CVE-2025-55780](https://www.cve.org/CVERecord?id=CVE-2025-55780)
Affected Versions : 1.26.7 and before are affected
Found and tested on : 1.26.4
Severity CVSSv3 score : 7.5 ( High )
Fixed in commit :
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=bdd5d241748807378a78a622388e0312332513c5
Bugzilla : https://bugs.ghostscript.com/show_bug.cgi?id=708720
Crash Location :-
```
(1a44.55c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
mupdf!break_word_for_overflow_wrap+0x243:
00007ff7`6dbf2a23 8b00 mov eax,dword ptr [rax] ds:00000000`00000000=????????
```
Fix :-
Fix NULL dereference in HTML layout.
If we have a single flow node that is too large to fit in the
available width, and we are using the "overflow-wrap:break-word"
CSS style, then we attempt to break the flow node into smaller
pieces so that it can wrap nicely.
We do this by walking the flow node text to break it into clusters;
we want to break at cluster level rather than character level to
avoid problems with shaping.
For right to left text, the clusters come in the opposite order to
expected and the existing logic goes wrong.
This can lead to the splitting code not actually splitting anything
which in turn can lead to node->next being NULL, and us attempting
to dereference NULL.
The fix is to split differently for right 2 left text.
While investigating this, an additional problem was spotted, namely
that the way we were calling harfbuzz meant that it didn't group
clusters together as we expected. Accordingly, we extend the code
here so that our 'string_walker' can call harfbuzz in 'grapheme'
cluster mode rather than 'character' cluster node.
Using that, we then update the code to walk the returned fragments
of the string, breaking the code at the correct position for the
required space, with care taken to cope correctly with both l2r and
r2l text.
#### References
https://nvd.nist.gov/vuln/detail/CVE-2025-55780
https://www.tenable.com/cve/CVE-2025-55780
https://ubuntu.com/security/CVE-2025-55780
https://cvefeed.io/vuln/detail/CVE-2025-55780
https://osv.dev/vulnerability/UBUNTU-CVE-2025-55780
https://cve.akaoma.com/cve-2025-55780
https://vulners.com/cve/CVE-2025-55780
https://bugzilla.redhat.com/show_bug.cgi?id=2397702
https://github.com/advisories/GHSA-756h-grq9-2jvh
https://www.tenable.com/plugins/nessus/266050
https://security-tracker.debian.org/tracker/CVE-2025-55780
https://access.redhat.com/security/cve/cve-2025-55780
https://www.wiz.io/vulnerability-database/cve/cve-2025-55780
https://security.snyk.io/vuln/SNYK-UNMANAGED-MUPDF-13058631
https://feedly.com/cve/CVE-2025-55780
https://vulners.com/cve/CVE-2025-55780
https://vulmon.com/vulnerabilitydetails?qid=CVE-2025-55780&sortby=bydate
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116254
[4.0K] /data/pocs/27667b34263c20fb479328accbc22a5dddb383a1
├── [1.0K] LICENSE
└── [3.1K] README.md
1 directory, 2 files