CVE-2020-25725
MEDIUMXpdf 4.02 - Use-After-Free in SplashOutputDev Type 3 Char Handling
Title source: llmDescription
In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem. The codes of a previous fix for nested Type 3 characters wasn't correctly handling the case where a Type 3 char referred to another char in the same Type 3 font.
References (4)
Core 4
Core References
Exploit, Vendor Advisory x_refsource_misc
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41915
Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25725
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZUU5QG6SSVRTKZTR3A72LDRVZETEI63/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VLOYVJSM54IL6I5RY4QTJGRS7PIEG44X/
Scores
CVSS v3
5.0
EPSS
0.0099
EPSS Percentile
58.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-416
Status
published
Products (3)
fedoraproject/fedora
32
fedoraproject/fedora
33
xpdfreader/xpdf
4.02
Published
Nov 21, 2020
Tracked Since
Feb 18, 2026