GHSA-fhp4-pr5j-46m5HighCVSS 7.5Disclosed before NVD
Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key
📋 Description
Summary
A NULL pointer dereference vulnerability exists in PDFParser::CreateFilterForStream() when processing a PDF stream with /Filter /LZWDecode and a /DecodeParms dictionary that does not contain the EarlyChange key. This causes an access violation (0xC0000005) and crashes the process.
Affected Version
muhammara <= 6.0.4 (latest)
Vulnerability Details
File: src/deps/PDFWriter/PDFParser.cpp line 2107
if (inDecodeParams)
{
PDFObjectCastPtr<PDFInteger> earlyObj(
QueryDictionaryObject(inDecodeParams, "EarlyChange")
);
early = earlyObj->GetValue(); // NULL dereference when EarlyChange key is absent
}
When inDecodeParams is non-NULL but lacks the EarlyChange key:
QueryDictionaryObject()returns NULLPDFObjectCastPtr<PDFInteger>(NULL)wraps NULLearlyObj->GetValue()dereferences NULL → crash
PoC
460-byte malicious PDF triggers crash via startReadingFromStream():
- PDF contains
/Filter /LZWDecodewith/DecodeParms << >>(empty, no EarlyChange) - Exit code:
0xC0000005(Access Violation)
Fix
if (earlyObj)
early = earlyObj->GetValue();
Impact
Any application accepting untrusted PDFs and using muhammara to read stream contents is vulnerable to DoS.
Similar to: CVE-2022-41957, CVE-2022-39381
PoC File
🎯 Affected products1
- npm/muhammara:<= 6.0.4