Talos is disclosing the presence of two vulnerabilities in the Artifex MuPDF renderer. MuPDF is a lightweight PDF parsing and rendering library featuring high fidelity graphics, high speed, and compact code size which makes it a fairly popular PDF library for embedding in different projects, especially mobile and web applications. Both of these vulnerabilities, if exploited, could lead to arbitrary code execution of an attacker's choice on the target device. Both of these vulnerabilities have been responsibly disclosed and Artifex has released software updates to address these vulnerabilities.

Vulnerability Details Two memory corruption vulnerabilities exist within Artifex MuPDF render that could result in arbitrary code execution if exploited. These two vulnerabilities manifest as a result of improperly parsing and handling parts of a PDF file.

  • TALOS-2016-0242 - MuPDF Fitz library font glyph scaling Code Execution Vulnerability
    This is a heap out-of-bounds write vulnerability that manifests in the glyph scaling code when a font glyph must be scaled down.Vulnerability identified by Aleksandar Nikolic.
  • TALOS-2016-0243 - MuPDf JBIG2 Parser Code Execution Vulnerability
    This is a heap-based buffer overflow vulnerability that manifests in the JBIG2 image parsing functionality for JBIG2 images that are embedded in a PDF.Vulnerability identified by Aleksandar Nikolic and Cory Duplantis. Both of these vulnerabilities could be exploited if an adversary were to specifically craft a PDF file and have a victim open that PDF file with MuPDF. Scenarios where an adversary could achieve remote code execution are email-based attack scenarios, where a user opens a malicious PDF attachment, or where a user downloads a malicious PDF from site hosting user content.

For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:


Coverage The following Snort Rules detect attempts to exploit these MuPDF vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 41470-41471, 41224-41225