GHSA-fhp4-pr5j-46m5HighCVSS 7.5Disclosed before NVD

Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key

Published
June 26, 2026
Last Modified
June 26, 2026

📋 Description

Summary

A NULL pointer dereference vulnerability exists in PDFParser::CreateFilterForStream() when processing a PDF stream with /Filter /LZWDecode and a /DecodeParms dictionary that does not contain the EarlyChange key. This causes an access violation (0xC0000005) and crashes the process.

Affected Version

muhammara <= 6.0.4 (latest)

Vulnerability Details

File: src/deps/PDFWriter/PDFParser.cpp line 2107

if (inDecodeParams)
{
    PDFObjectCastPtr<PDFInteger> earlyObj(
        QueryDictionaryObject(inDecodeParams, "EarlyChange")
    );
    early = earlyObj->GetValue();  // NULL dereference when EarlyChange key is absent
}

When inDecodeParams is non-NULL but lacks the EarlyChange key:

  1. QueryDictionaryObject() returns NULL
  2. PDFObjectCastPtr<PDFInteger>(NULL) wraps NULL
  3. earlyObj->GetValue() dereferences NULL → crash

PoC

460-byte malicious PDF triggers crash via startReadingFromStream():

  • PDF contains /Filter /LZWDecode with /DecodeParms << >> (empty, no EarlyChange)
  • Exit code: 0xC0000005 (Access Violation)

Fix

if (earlyObj)
    early = earlyObj->GetValue();

Impact

Any application accepting untrusted PDFs and using muhammara to read stream contents is vulnerable to DoS.

Similar to: CVE-2022-41957, CVE-2022-39381

PoC File

poc_muhammara_lzw_null.js

🎯 Affected products1

  • npm/muhammara:<= 6.0.4

🔗 References (3)