Coordinated Disclosure Timeline

Summary

MMRDecoder::scanruns() has an out-of-bounds write vulnerability which can cause memory corruption.

Project

DjVuLibre

Tested Version

3.5.28

Details

OOB-Write in MMRDecoder (GHSL-2025-055)

The MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it doesn’t check that the xr pointer stays within the bounds of the allocated buffer.

During the decoding process, run-length encoded data is written into two buffers: lineruns and prevruns:

//libdjvu/MMRDecoder.h
class DJVUAPI MMRDecoder : public GPEnabled
{
...
public:

  unsigned short *lineruns;
...
  unsigned short *prevruns;
...
}

The variables named pr, xr point to the current locations in those buffers. scanruns does not check that those pointers remain within the bounds of the allocated buffers (lineruns and prevruns).

//libdjvu/MMRDecoder.cpp
const unsigned short *
MMRDecoder::scanruns(const unsigned short **endptr)
{
...
  // Swap run buffers
  unsigned short *pr = lineruns;
  unsigned short *xr = prevruns;
  prevruns = pr;
  lineruns = xr;
...
  for(a0=0,rle=0,b1=*pr++;a0 < width;)
    {
     ...
            *xr = rle; xr++; rle = 0;
     ...
            *xr = rle; xr++; rle = 0;
 ...
          *xr = inc+rle-a0;
          xr++;
}

This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with pr is also possible for the same reason.

Impact

This out-of-bounds write could be used to gain arbitrary code execution in an application that uses DjVuLibre. For example, DjVuLibre is used by the default document viewer on many Linux distributions. @kevinbackhouse (Kevin Backhouse) has developed a PoC exploit for Ubuntu 25.04.

CWEs

CVE

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2025-055 in any communication regarding this issue.