CVE-2025-55780

Null Pointer De-reference in MuPDF 1.26.4 EPUB Rendering Function

CVE Reference - CVE-2025-55780

Affected Versions : 1.26.7 and before are affected

Found and tested on : 1.26.4

Severity CVSSv3 score : 7.5 ( High )

Fixed in commit : https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=bdd5d241748807378a78a622388e0312332513c5

Bugzilla : https://bugs.ghostscript.com/show_bug.cgi?id=708720

Crash Location :-

(1a44.55c0): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

mupdf!break_word_for_overflow_wrap+0x243:

00007ff7`6dbf2a23 8b00            mov     eax,dword ptr [rax] ds:00000000`00000000=????????

Fix :- Fix NULL dereference in HTML layout.

If we have a single flow node that is too large to fit in the
available width, and we are using the "overflow-wrap:break-word"
CSS style, then we attempt to break the flow node into smaller
pieces so that it can wrap nicely.

We do this by walking the flow node text to break it into clusters;
we want to break at cluster level rather than character level to
avoid problems with shaping.

For right to left text, the clusters come in the opposite order to
expected and the existing logic goes wrong.

This can lead to the splitting code not actually splitting anything
which in turn can lead to node->next being NULL, and us attempting
to dereference NULL.

The fix is to split differently for right 2 left text.

While investigating this, an additional problem was spotted, namely
that the way we were calling harfbuzz meant that it didn't group
clusters together as we expected. Accordingly, we extend the code
here so that our 'string_walker' can call harfbuzz in 'grapheme'
cluster mode rather than 'character' cluster node.



Using that, we then update the code to walk the returned fragments
of the string, breaking the code at the correct position for the
required space, with care taken to cope correctly with both l2r and
r2l text.