Bug 708720

Summary: NULL pointer dereference in html-layout.c in Latest version
Product: MuPDF Reporter: Ishayu <ishayupotey>
Component: epubAssignee: MuPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: robin.watts, sebastian.rasmussen
Priority: P2    
Version: master   
Hardware: PC   
OS: All   
Customer: Word Size: ---

Description Ishayu 2025-08-04 19:08:01 UTC 
Created attachment 27080 [details]
Crash File

Please Private this attachment until its FIXED 

Description:
A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF Latest pulled from github ( 1.26.4 ) when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain.

Faulting Source : html-layout.c
Faulting function : break_word_for_overflow_wrap (Access Violation occur here)

Vulnerability Type : NULL pointer De-reference 
Tested on : Windows 11 24H2 (26100.4770) and Windows 10 22H2

Steps to reproduce :-
-> Open Attached EPUB file in mupdf.exe / mupdf-gl.exe

Expected Result :-
-> The Application crashes in few seconds 

Impact : Denial-of-Service (DoS)

Tested on Latest build cloned using this command below ( 5th August 2025 ) 

git clone --recursive git://git.ghostscript.com/mupdf.git


Additional Information :-
The following WinDbg crash report was generated using a Debug build of MuPDF to enable precise root cause analysis of the bug.

WINDBG REPORT :-

************ Preparing the environment for Debugger Extensions Gallery repositories **************
   ExtensionRepository : Implicit
   UseExperimentalFeatureForNugetShare : true
   AllowNugetExeUpdate : true
   NonInteractiveNuget : true
   AllowNugetMSCredentialProviderInstall : true
   AllowParallelInitializationOfLocalRepositories : true

   EnableRedirectToV8JsProvider : false

   -- Configuring repositories
      ----> Repository : LocalInstalled, Enabled: true
      ----> Repository : UserExtensions, Enabled: true

>>>>>>>>>>>>> Preparing the environment for Debugger Extensions Gallery repositories completed, duration 0.000 seconds

************* Waiting for Debugger Extensions Gallery to Initialize **************

>>>>>>>>>>>>> Waiting for Debugger Extensions Gallery to Initialize completed, duration 0.015 seconds
   ----> Repository : UserExtensions, Enabled: true, Packages count: 0
   ----> Repository : LocalInstalled, Enabled: true, Packages count: 41

Microsoft (R) Windows Debugger Version 10.0.27553.1004 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\platform\win32\x64\Debug\mupdf.exe

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: 

+------------------------------------------------------------------------+
| This target supports Hardware-enforced Stack Protection. A HW based    |
| "Shadow Stack" may be available to assist in debugging and analysis.   |
| See aka.ms/userhsp for more info.                                      |
|                                                                        |
| dps @ssp                                                               |
|                                                                        |
+------------------------------------------------------------------------+

ModLoad: 00007ff7`6d0c0000 00007ff7`71a3f000   mupdf.exe
ModLoad: 00007ffa`82be0000 00007ffa`82e47000   ntdll.dll
ModLoad: 00007ffa`81bc0000 00007ffa`81c89000   C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffa`80350000 00007ffa`80740000   C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffa`7c7b0000 00007ffa`7c84e000   C:\WINDOWS\SYSTEM32\apphelp.dll
ModLoad: 00007ffa`815b0000 00007ffa`81775000   C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffa`7fe50000 00007ffa`7fe77000   C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffa`81e10000 00007ffa`81e3b000   C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffa`80210000 00007ffa`80348000   C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffa`7fda0000 00007ffa`7fe43000   C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffa`80000000 00007ffa`8014b000   C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffa`80970000 00007ffa`80a68000   C:\WINDOWS\System32\COMDLG32.dll
ModLoad: 00007ffa`81f90000 00007ffa`82315000   C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffa`82890000 00007ffa`829a8000   C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffa`813a0000 00007ffa`81495000   C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffa`81b50000 00007ffa`81bba000   C:\WINDOWS\System32\SHLWAPI.dll
ModLoad: 00007ffa`814a0000 00007ffa`81549000   C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffa`80ab0000 00007ffa`811fd000   C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffa`4d4f0000 00007ffa`4d5a4000   C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.26100.4484_none_87ef4f277a2c8b1a\COMCTL32.dll
ModLoad: 00007ffa`80750000 00007ffa`808c3000   C:\WINDOWS\System32\wintypes.dll
ModLoad: 00007ffa`81e40000 00007ffa`81ef4000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 0000029b`311d0000 0000029b`31284000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffa`81200000 00007ffa`812a6000   C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffa`43fb0000 00007ffa`43fbf000   C:\WINDOWS\SYSTEM32\VCRUNTIME140_1D.dll
ModLoad: 00007ff9`d38a0000 00007ff9`d38d0000   C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll
ModLoad: 00007ff9`4d160000 00007ff9`4d241000   C:\WINDOWS\SYSTEM32\MSVCP140D.dll
ModLoad: 00007ff9`4ca40000 00007ff9`4cc44000   C:\WINDOWS\SYSTEM32\ucrtbased.dll
ModLoad: 0000029b`311d0000 0000029b`313d4000   C:\WINDOWS\SYSTEM32\ucrtbased.dll
ModLoad: 0000029b`315f0000 0000029b`317f4000   C:\WINDOWS\SYSTEM32\ucrtbased.dll
ModLoad: 0000029b`313e0000 0000029b`315e4000   C:\WINDOWS\SYSTEM32\ucrtbased.dll
(1a44.55c0): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x35:
00007ffa`82d04199 cc              int     3
0:000> g
ModLoad: 00007ffa`80a70000 00007ffa`80a9f000   C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffa`7c9b0000 00007ffa`7ca5f000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 00007ffa`81c90000 00007ffa`81df1000   C:\WINDOWS\System32\MSCTF.dll
ModLoad: 00007ffa`819a0000 00007ffa`81b40000   C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffa`7ea90000 00007ffa`7eaab000   C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 00007ffa`808d0000 00007ffa`80969000   C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffa`81870000 00007ffa`81918000   C:\WINDOWS\System32\clbcatq.dll
ModLoad: 00007ffa`7d8d0000 00007ffa`7e12f000   C:\WINDOWS\SYSTEM32\Windows.Storage.dll
ModLoad: 00007ffa`34370000 00007ffa`34520000   C:\WINDOWS\SYSTEM32\DUI70.dll
ModLoad: 00007ffa`5eb30000 00007ffa`5edca000   C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.26100.4768_none_3e0c112ce331287c\Comctl32.dll
ModLoad: 00007ffa`0a310000 00007ffa`0a3bc000   C:\WINDOWS\SYSTEM32\DUser.dll
ModLoad: 00007ffa`7cce0000 00007ffa`7cd15000   C:\WINDOWS\SYSTEM32\dwmapi.dll
ModLoad: 00007ffa`81780000 00007ffa`81860000   C:\WINDOWS\System32\OLEAUT32.dll
ModLoad: 00007ffa`6c030000 00007ffa`6c181000   C:\WINDOWS\SYSTEM32\textinputframework.dll
ModLoad: 00007ffa`489c0000 00007ffa`48a3d000   C:\WINDOWS\system32\Oleacc.dll
ModLoad: 00007ffa`5fc20000 00007ffa`5fcc5000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 00007ffa`6a810000 00007ffa`6a81d000   C:\WINDOWS\SYSTEM32\atlthunk.dll
ModLoad: 00007ffa`457a0000 00007ffa`45853000   C:\WINDOWS\SYSTEM32\TextShaping.dll
ModLoad: 00007ffa`39f90000 00007ffa`3a3c1000   C:\WINDOWS\SYSTEM32\UIAutomationCore.DLL
ModLoad: 00007ffa`41e50000 00007ffa`41e79000   C:\WINDOWS\SYSTEM32\edputil.dll
ModLoad: 00007ffa`2a6d0000 00007ffa`2a992000   C:\WINDOWS\system32\explorerframe.dll
ModLoad: 00007ffa`7af20000 00007ffa`7b15e000   C:\WINDOWS\SYSTEM32\WindowsCodecs.dll
ModLoad: 00007ffa`7fc30000 00007ffa`7fc59000   C:\WINDOWS\SYSTEM32\profapi.dll
ModLoad: 00007ffa`29880000 00007ffa`298ef000   C:\Windows\System32\thumbcache.dll
ModLoad: 00007ffa`7a770000 00007ffa`7a824000   C:\WINDOWS\SYSTEM32\policymanager.dll
ModLoad: 00007ffa`7a6d0000 00007ffa`7a761000   C:\WINDOWS\SYSTEM32\msvcp110_win.dll
ModLoad: 00007ffa`35130000 00007ffa`3518a000   C:\WINDOWS\system32\dataexchange.dll
ModLoad: 00007ffa`6d280000 00007ffa`6d4b8000   C:\WINDOWS\system32\twinapi.appcore.dll
ModLoad: 00007ffa`26190000 00007ffa`264c0000   C:\WINDOWS\SYSTEM32\MsftEdit.dll
ModLoad: 00007ffa`368f0000 00007ffa`36a88000   C:\Windows\System32\Windows.Globalization.dll
ModLoad: 00007ffa`26050000 00007ffa`26088000   C:\WINDOWS\SYSTEM32\globinputhost.dll
ModLoad: 00007ffa`6ac90000 00007ffa`6acee000   C:\WINDOWS\SYSTEM32\Bcp47Langs.dll
ModLoad: 00007ffa`77e70000 00007ffa`77f7d000   C:\WINDOWS\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffa`7f890000 00007ffa`7f8e7000   C:\WINDOWS\SYSTEM32\CFGMGR32.dll
ModLoad: 00007ffa`42270000 00007ffa`423f1000   C:\WINDOWS\SYSTEM32\windows.system.launcher.dll
ModLoad: 00007ffa`39b20000 00007ffa`39b3b000   C:\WINDOWS\system32\NetworkExplorer.dll
ModLoad: 00007ffa`41d90000 00007ffa`41e4d000   C:\Windows\System32\OneCoreCommonProxyStub.dll
ModLoad: 00007ffa`6dac0000 00007ffa`6db0d000   C:\WINDOWS\system32\xmllite.dll
ModLoad: 00007ffa`3ae50000 00007ffa`3ae9f000   C:\Windows\System32\vaultcli.dll
ModLoad: 00007ffa`7fa80000 00007ffa`7fb21000   C:\WINDOWS\SYSTEM32\sxs.dll
mincore\com\oleaut32\dispatch\ups.cpp(2126)\OLEAUT32.dll!00007FFA8179ECCD: (caller: 00007FFA8179F352) ReturnHr(1) tid(55c0) 8002801D Library not registered.
ModLoad: 00007ffa`4f4e0000 00007ffa`4f5a6000   C:\WINDOWS\System32\StructuredQuery.dll
ModLoad: 00007ffa`4f100000 00007ffa`4f39e000   C:\WINDOWS\System32\icu.dll
ModLoad: 00007ffa`6c970000 00007ffa`6cfb4000   C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
ModLoad: 00007ffa`28af0000 00007ffa`28bb2000   C:\Windows\System32\Windows.FileExplorer.Common.dll
ModLoad: 00007ffa`42270000 00007ffa`423f1000   C:\Windows\System32\Windows.System.Launcher.dll
ModLoad: 00007ffa`62b30000 00007ffa`62b4a000   C:\WINDOWS\SYSTEM32\windows.staterepositorycore.dll
ModLoad: 00007ffa`42e00000 00007ffa`42ec4000   C:\Windows\System32\Windows.StateRepositoryPS.dll
ModLoad: 00007ffa`41f00000 00007ffa`4203b000   C:\WINDOWS\system32\Windows.Storage.Search.dll
ModLoad: 00007ffa`38e50000 00007ffa`393ae000   C:\WINDOWS\system32\windowsudk.shellcommon.dll
ModLoad: 00007ffa`48320000 00007ffa`48479000   C:\Windows\System32\Windows.UI.dll
ModLoad: 00007ffa`374c0000 00007ffa`3760d000   C:\Windows\System32\Windows.UI.Immersive.dll
ModLoad: 00007ffa`34bc0000 00007ffa`34c6e000   C:\Windows\System32\twinapi.dll
ModLoad: 00007ffa`7c410000 00007ffa`7c535000   C:\WINDOWS\SYSTEM32\CoreMessaging.dll
ModLoad: 00007ffa`62a90000 00007ffa`62ae0000   C:\WINDOWS\SYSTEM32\windows.staterepositoryclient.dll
ModLoad: 00007ffa`76b40000 00007ffa`76e23000   C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
ModLoad: 00007ffa`7f300000 00007ffa`7f30c000   C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ffa`81f00000 00007ffa`81f7a000   C:\WINDOWS\System32\coml2.dll
ModLoad: 00007ffa`2ee80000 00007ffa`2ee8f000   C:\WINDOWS\SYSTEM32\LINKINFO.dll
ModLoad: 00007ffa`4ac20000 00007ffa`4ae05000   C:\Windows\System32\urlmon.dll
ModLoad: 00007ffa`4a840000 00007ffa`4ab0a000   C:\Windows\System32\iertutil.dll
ModLoad: 00007ffa`7e420000 00007ffa`7e42d000   C:\Windows\System32\netutils.dll
ModLoad: 00007ffa`4abc0000 00007ffa`4abe9000   C:\Windows\System32\srvcli.dll
ModLoad: 00007ffa`7ed40000 00007ffa`7ed89000   C:\Windows\System32\SspiCli.dll
ModLoad: 00007ffa`342c0000 00007ffa`3436b000   C:\WINDOWS\system32\wpdshext.dll
ModLoad: 00007ffa`5fe60000 00007ffa`6003e000   C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.26100.4768_none_6ef704123dc3a24a\gdiplus.dll
ModLoad: 00007ffa`74520000 00007ffa`74555000   C:\WINDOWS\system32\WINMM.dll
ModLoad: 00007ffa`47ee0000 00007ffa`47fff000   C:\Windows\System32\MrmCoreR.dll
ModLoad: 00007ffa`29780000 00007ffa`2982d000   C:\WINDOWS\SYSTEM32\ntshrui.dll
ModLoad: 00007ffa`5ee20000 00007ffa`5ee33000   C:\WINDOWS\SYSTEM32\cscapi.dll
ModLoad: 00007ffa`26b50000 00007ffa`26d3b000   C:\Program Files\Microsoft OneDrive\25.127.0701.0006\FileSyncShell64.dll
ModLoad: 00007ffa`7fe80000 00007ffa`7fff7000   C:\WINDOWS\System32\CRYPT32.dll
ModLoad: 00007ffa`7fc00000 00007ffa`7fc26000   C:\WINDOWS\SYSTEM32\bcrypt.dll
ModLoad: 00007ffa`6f040000 00007ffa`6f04b000   C:\WINDOWS\SYSTEM32\VERSION.dll
ModLoad: 00007ffa`68260000 00007ffa`684e9000   C:\WINDOWS\SYSTEM32\WININET.dll
ModLoad: 00007ffa`7c870000 00007ffa`7c886000   C:\WINDOWS\SYSTEM32\WTSAPI32.dll
ModLoad: 00007ffa`7c860000 00007ffa`7c86d000   C:\WINDOWS\SYSTEM32\Secur32.dll
ModLoad: 00007ffa`7f0c0000 00007ffa`7f0eb000   C:\WINDOWS\SYSTEM32\USERENV.dll
ModLoad: 00007ffa`6a440000 00007ffa`6a4ad000   C:\WINDOWS\SYSTEM32\mscoree.dll
ModLoad: 00007ffa`6a180000 00007ffa`6a21b000   C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
ModLoad: 00007ffa`697d0000 00007ffa`6a174000   C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
ModLoad: 00007ffa`697c0000 00007ffa`697cc000   C:\WINDOWS\SYSTEM32\VCRUNTIME140_1_CLR0400.dll
ModLoad: 00007ffa`697a0000 00007ffa`697bb000   C:\WINDOWS\SYSTEM32\VCRUNTIME140_CLR0400.dll
ModLoad: 00007ffa`696b0000 00007ffa`6977d000   C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll
(1a44.5e68): Unknown exception - code 04242420 (first chance)
ModLoad: 00007ffa`29d40000 00007ffa`29dc0000   C:\Windows\System32\ActXPrxy.dll
ModLoad: 00007ffa`82350000 00007ffa`82358000   C:\WINDOWS\System32\psapi.dll
ModLoad: 00007ffa`66400000 00007ffa`67a0f000   C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\mscorlib\8967064a93c70884749ad00de74dd7a1\mscorlib.ni.dll
ModLoad: 0000029b`53210000 0000029b`532b2000   OptaneShellExt.dll
ModLoad: 0000029b`532c0000 0000029b`53362000   OptaneShellExt.dll
ModLoad: 00007ffa`7f2e0000 00007ffa`7f2fb000   C:\WINDOWS\SYSTEM32\CRYPTSP.dll
ModLoad: 00007ffa`7e9f0000 00007ffa`7ea2b000   C:\WINDOWS\system32\rsaenh.dll
ModLoad: 0000029b`39430000 0000029b`39498000   SharpShell.dll
ModLoad: 0000029b`53210000 0000029b`53278000   SharpShell.dll
ModLoad: 00007ffa`64d80000 00007ffa`659a2000   C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\System\fc7509f3c5d3bef48dfefcb3947d3b56\System.ni.dll
ModLoad: 00007ffa`2ffc0000 00007ffa`301b3000   C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\System.Drawing\f8bbe472ae72b0b981525825470239b1\System.Drawing.ni.dll
ModLoad: 00007ffa`7f3a0000 00007ffa`7f40b000   C:\WINDOWS\SYSTEM32\wldp.dll
ModLoad: 00007ffa`661e0000 00007ffa`6630f000   C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll
ModLoad: 0000029b`37c70000 0000029b`37c7c000   PinningServiceApi.dll
ModLoad: 0000029b`37c80000 0000029b`37c8c000   PinningServiceApi.dll
ModLoad: 00007ffa`26b20000 00007ffa`26b48000   C:\WINDOWS\System32\DriverStore\FileRepository\iastorpinningcomponent.inf_amd64_0b50502eadc264dd\iaStorAfsServiceApi.dll
(1a44.5e68): Unknown exception - code 000006ba (first chance)
ModLoad: 00007ffa`64060000 00007ffa`64ae5000   C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\System.Core\cf9616e40d9e7e4d682f88f6d5725156\System.Core.ni.dll
ModLoad: 00007ffa`269c0000 00007ffa`26b1e000   C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\System.Compba577418#\f722002e3094bbbb07b0467ab873dc35\System.ComponentModel.Composition.ni.dll
ModLoad: 00007ffa`26980000 00007ffa`269b8000   C:\Windows\System32\EhStorShell.dll
ModLoad: 00007ffa`823f0000 00007ffa`82876000   C:\WINDOWS\System32\SETUPAPI.dll
(1a44.5e68): Unknown exception - code 000006ba (first chance)
(1a44.2b24): Unknown exception - code 000006ba (first chance)
(1a44.3c10): Unknown exception - code 000006ba (first chance)
(1a44.6594): Unknown exception - code 000006ba (first chance)
ModLoad: 00007ffa`7b4d0000 00007ffa`7bb13000   C:\WINDOWS\SYSTEM32\d2d1.dll
ModLoad: 00007ffa`7b170000 00007ffa`7b3d7000   C:\WINDOWS\SYSTEM32\d3d11.dll
ModLoad: 00007ffa`7cb50000 00007ffa`7cc8e000   C:\WINDOWS\SYSTEM32\dxgi.dll
ModLoad: 00007ffa`7cae0000 00007ffa`7cb4a000   C:\WINDOWS\SYSTEM32\directxdatabasehelper.dll
ModLoad: 00007ffa`7cd20000 00007ffa`7cd6d000   C:\WINDOWS\SYSTEM32\dxcore.dll
ModLoad: 00007ffa`24fd0000 00007ffa`25586000   C:\WINDOWS\SYSTEM32\D3D10Warp.dll
ModLoad: 00007ffa`7cd20000 00007ffa`7cd6d000   C:\WINDOWS\SYSTEM32\dxcore.dll
ModLoad: 00007ffa`7d0b0000 00007ffa`7d0c4000   C:\WINDOWS\SYSTEM32\resourcepolicyclient.dll
ModLoad: 00007ffa`3d290000 00007ffa`3d29b000   C:\WINDOWS\system32\IconCodecService.dll
onecoreuap\internal\shell\inc\SrcPkg\FileExplorerSessionWatcher\inc\FileExplorerSessionWatcher.h(1819)\SHELL32.dll!00007FFA80D5F5D8: (caller: 00007FFA80C6A9F2) ReturnHr(1) tid(55c0) 80004001 Not implemented
shell\SrcPkg\FileExplorer\DefView\src\DefView.cpp(17814)\SHELL32.dll!00007FFA80C6AA11: (caller: 00007FFA2A792F4F) LogHr(1) tid(55c0) 80004001 Not implemented
shell\explorerframe\navbar.cpp(82)\explorerframe.dll!00007FFA2A88AE15: (caller: 00007FFA2A777A3E) LogHr(1) tid(55c0) 80070057 The parameter is incorrect.
format error: unknown image file format
warning: svg: ignoring external image '../Images/0000_pmu1.webp'
(1a44.55c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
mupdf!break_word_for_overflow_wrap+0x243:
00007ff7`6dbf2a23 8b00            mov     eax,dword ptr [rax] ds:00000000`00000000=????????
0:000> k
 # Child-SP          RetAddr               Call Site
00 000000b4`338fe1d0 00007ff7`6dbf3351     mupdf!break_word_for_overflow_wrap+0x243 [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\html-layout.c @ 639] 
01 000000b4`338fe2d0 00007ff7`6dbf61e5     mupdf!layout_flow+0x891 [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\html-layout.c @ 825] 
02 000000b4`338fe3d0 00007ff7`6dbf617c     mupdf!layout_block+0x3b5 [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\html-layout.c @ 2691] 
03 000000b4`338fe4a0 00007ff7`6dbf617c     mupdf!layout_block+0x34c [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\html-layout.c @ 2683] 
04 000000b4`338fe570 00007ff7`6dbf617c     mupdf!layout_block+0x34c [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\html-layout.c @ 2683] 
05 000000b4`338fe640 00007ff7`6dbf617c     mupdf!layout_block+0x34c [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\html-layout.c @ 2683] 
06 000000b4`338fe710 00007ff7`6dbf0d95     mupdf!layout_block+0x34c [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\html-layout.c @ 2683] 
07 000000b4`338fe7e0 00007ff7`6dbf062a     mupdf!fz_restartable_layout_html+0x4a5 [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\html-layout.c @ 3035] 
08 000000b4`338fe8c0 00007ff7`6da98b80     mupdf!fz_layout_html+0x28a [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\html-layout.c @ 3080] 
09 000000b4`338fe910 00007ff7`6da98d9a     mupdf!epub_get_laid_out_html+0x90 [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\epub-doc.c @ 502] 
0a 000000b4`338fe960 00007ff7`6da99387     mupdf!count_chapter_pages+0xda [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\epub-doc.c @ 209] 
0b 000000b4`338fe9a0 00007ff7`6d93f36e     mupdf!epub_count_pages+0x77 [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\html\epub-doc.c @ 309] 
0c 000000b4`338fe9f0 00007ff7`6d93eb2c     mupdf!fz_count_chapter_pages+0x4e [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\fitz\document.c @ 769] 
0d 000000b4`338fea20 00007ff7`6d8c3d1c     mupdf!fz_count_pages+0x5c [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\source\fitz\document.c @ 779] 
0e 000000b4`338fea60 00007ff7`6d8c384b     mupdf!pdfapp_open_progressive+0x4bc [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\platform\x11\pdfapp.c @ 575] 
0f 000000b4`338ffb10 00007ff7`6d8cd5b9     mupdf!pdfapp_open+0x2b [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\platform\x11\pdfapp.c @ 362] 
10 000000b4`338ffb40 00007ff7`6e79c1c2     mupdf!WinMain+0x489 [C:\Users\ishay\OneDrive\Desktop\mupdf\mupdf\platform\x11\win_main.c @ 1375] 
11 000000b4`338ffd70 00007ff7`6e79c072     mupdf!invoke_main+0x32 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 107] 
12 000000b4`338ffdb0 00007ff7`6e79bf2e     mupdf!__scrt_common_main_seh+0x132 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
13 000000b4`338ffe20 00007ff7`6e79c25e     mupdf!__scrt_common_main+0xe [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 331] 
14 000000b4`338ffe50 00007ffa`81bee8d7     mupdf!WinMainCRTStartup+0xe [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_winmain.cpp @ 17] 
15 000000b4`338ffe80 00007ffa`82c1c34c     KERNEL32!BaseThreadInitThunk+0x17
16 000000b4`338ffeb0 00000000`00000000     ntdll!RtlUserThreadStart+0x2c
0:000> g
(1a44.55c0): Access violation - code c0000005 (!!! second chance !!!)
mupdf!break_word_for_overflow_wrap+0x243:
00007ff7`6dbf2a23 8b00            mov     eax,dword ptr [rax] ds:00000000`00000000=????????
0:000> .load C:\Users\ishay\Downloads\MSECWinDbgExtensions\MSECWinDbgExtensions\x64\MSEC.dll
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at mupdf!break_word_for_overflow_wrap+0x0000000000000243 (Hash=0xe5739fe3.0xfe35b07d)

This is a user mode read access violation near null, and is probably not exploitable.
0:000> g
(1a44.55c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
mupdf!break_word_for_overflow_wrap+0x243:
00007ff7`6dbf2a23 8b00            mov     eax,dword ptr [rax] ds:00000000`00000000=????????
0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at mupdf!break_word_for_overflow_wrap+0x0000000000000243 (Hash=0xe5739fe3.0xfe35b07d)

This is a user mode read access violation near null, and is probably not exploitable.
0:000> r
rax=0000000000000000 rbx=0000000000000000 rcx=0000029b57d918d8
rdx=00007ff76e9004b0 rsi=0000000000000000 rdi=000000b4338fe2c0
rip=00007ff76dbf2a23 rsp=000000b4338fe1d0 rbp=0000000000000000
 r8=0000029b57d918d8  r9=0000000000000000 r10=00007ff9d38a0000
r11=00007ff9d38c2774 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010200
mupdf!break_word_for_overflow_wrap+0x243:
00007ff7`6dbf2a23 8b00            mov     eax,dword ptr [rax] ds:00000000`00000000=????????
0:000> .exr -1
ExceptionAddress: 00007ff76dbf2a23 (mupdf!break_word_for_overflow_wrap+0x0000000000000243)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000
0:000> g
(1a44.55c0): Access violation - code c0000005 (!!! second chance !!!)
mupdf!break_word_for_overflow_wrap+0x243:
00007ff7`6dbf2a23 8b00            mov     eax,dword ptr [rax] ds:00000000`00000000=????????
0:000> .exr -1
ExceptionAddress: 00007ff76dbf2a23 (mupdf!break_word_for_overflow_wrap+0x0000000000000243)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000


FAULTING SOURCE CODE :-

static void break_word_for_overflow_wrap(fz_context *ctx, fz_html_flow *node, layout_data *ld)
{
	hb_buffer_t *hb_buf = ld->hb_buf;
	const char *text = node->content.text;
	string_walker walker;

	assert(node->type == FLOW_WORD);
	assert(node->atomic == 0);

	/* Split a word node after the first cluster (usually a character), and
	 * flag the second half as a valid node to break before if in desperate
	 * need. This may break earlier than necessary, but in that case we'll
	 * break the second half again when we come to it, until we find a
	 * suitable breaking point.
	 *
	 * We split after each clusters here so we can flag each fragment as
	 * "atomic" so we don't try breaking it again, and also to flag the
	 * following word fragment as a possible break point. Breaking at the
	 * exact desired point would make this more complicated than necessary.
	 *
	 * Desperately breaking in the middle of a word like this should should
	 * rarely (if ever) come up.
	 *
	 * TODO: Split at all the clusters in the word at once.
	 */

	/* Walk string and split at the first cluster. */
	init_string_walker(ctx, &walker, hb_buf, node->bidi_level & 1, node->box->style->font, node->script, node->markup_lang, node->box->style->small_caps, text);
	while (walk_string(&walker))
	{
		unsigned int i, a, b;
		a = walker.glyph_info[0].cluster;
		for (i = 0; i < walker.glyph_count; ++i)
		{
			b = walker.glyph_info[i].cluster;
			if (b != a)
			{
				fz_html_split_flow(ctx, ld->pool, node, fz_runeidx(text, text + b));
				node->atomic = 1
        OCCURS HERE  ------>	node->next->overflow_wrap = 1;
				measure_string_w(ctx, node, ld->hb_buf);
				measure_string_w(ctx, node->next, ld->hb_buf);
				return;
			}
		}
	}

	/* Word is already only one cluster. Don't try breaking here again! */
	node->atomic = 1;
}



Assembly Source from Windbg :- ( for reference )

00007ff7`6dbf2984 0f83fa000000           jae     mupdf!break_word_for_overflow_wrap+0x2a4 (7ff76dbf2a84)
00007ff7`6dbf298a 8b8424e4000000         mov     eax, dword ptr [rsp+0E4h]
00007ff7`6dbf2991 486bc014               imul    rax, rax, 14h
00007ff7`6dbf2995 488b8c24d0000000       mov     rcx, qword ptr [walker.glyph_info (rsp+D0h)]
00007ff7`6dbf299d 8b440108               mov     eax, dword ptr [rcx+rax+8]
00007ff7`6dbf29a1 898424ec000000         mov     dword ptr [rsp+0ECh], eax
00007ff7`6dbf29a8 8b8424e8000000         mov     eax, dword ptr [rsp+0E8h]
00007ff7`6dbf29af 398424ec000000         cmp     dword ptr [rsp+0ECh], eax
00007ff7`6dbf29b6 0f84c3000000           je      mupdf!break_word_for_overflow_wrap+0x29f (7ff76dbf2a7f)
00007ff7`6dbf29bc 8b8424ec000000         mov     eax, dword ptr [rsp+0ECh]
00007ff7`6dbf29c3 488b4c2458             mov     rcx, qword ptr [text (rsp+58h)]
00007ff7`6dbf29c8 4803c8                 add     rcx, rax
00007ff7`6dbf29cb 488bc1                 mov     rax, rcx
00007ff7`6dbf29ce 488bd0                 mov     rdx, rax
00007ff7`6dbf29d1 488b4c2458             mov     rcx, qword ptr [text (rsp+58h)]
00007ff7`6dbf29d6 e8caa0c9ff             call    mupdf!@ILT+84640(fz_runeidx) (7ff76d88caa5)
00007ff7`6dbf29db 4898                   cdqe    
00007ff7`6dbf29dd 4c8bc8                 mov     r9, rax
00007ff7`6dbf29e0 4c8b842408010000       mov     r8, qword ptr [node (rsp+108h)]
00007ff7`6dbf29e8 488b842410010000       mov     rax, qword ptr [ld (rsp+110h)]
00007ff7`6dbf29f0 488b10                 mov     rdx, qword ptr [rax]
00007ff7`6dbf29f3 488b8c2400010000       mov     rcx, qword ptr [ctx (rsp+100h)]
00007ff7`6dbf29fb e8236ec9ff             call    mupdf!@ILT+71710(fz_html_split_flow) (7ff76d889823)
00007ff7`6dbf2a00 488b842408010000       mov     rax, qword ptr [node (rsp+108h)]
00007ff7`6dbf2a08 8b00                   mov     eax, dword ptr [rax]
00007ff7`6dbf2a0a 83c820                 or      eax, 20h
00007ff7`6dbf2a0d 488b8c2408010000       mov     rcx, qword ptr [node (rsp+108h)]
00007ff7`6dbf2a15 8901                   mov     dword ptr [rcx], eax
00007ff7`6dbf2a17 488b842408010000       mov     rax, qword ptr [node (rsp+108h)]
00007ff7`6dbf2a1f 488b4020               mov     rax, qword ptr [rax+20h]
00007ff7`6dbf2a23 8b00                   mov     eax, dword ptr [rax] <--- HERE
00007ff7`6dbf2a25 83c840                 or      eax, 40h
Comment 1 Ishayu 2025-08-11 18:21:28 UTC 
Any update on this even like confirmation of presence of bug on your side and any more information which you might need from side ?
Comment 2 Robin Watts 2025-09-10 12:09:14 UTC 
Fixed in:

commit bdd5d241748807378a78a622388e0312332513c5
Author: Robin Watts <Robin.Watts@artifex.com>
Date:   Fri Sep 5 16:26:44 2025 +0100

    Bug 708720: Fix NULL dereference in HTML layout.

    If we have a single flow node that is too large to fit in the
    available width, and we are using the "overflow-wrap:break-word"
    CSS style, then we attempt to break the flow node into smaller
    pieces so that it can wrap nicely.

    We do this by walking the flow node text to break it into clusters;
    we want to break at cluster level rather than character level to
    avoid problems with shaping.

    For right to left text, the clusters come in the opposite order to
    expected and the existing logic goes wrong.

    This can lead to the splitting code not actually splitting anything
    which in turn can lead to node->next being NULL, and us attempting
    to dereference NULL.

    The fix is to split differently for right 2 left text.

    While investigating this, an additional problem was spotted, namely
    that the way we were calling harfbuzz meant that it didn't group
    clusters together as we expected. Accordingly, we extend the code
    here so that our 'string_walker' can call harfbuzz in 'grapheme'
    cluster mode rather than 'character' cluster node.

    Using that, we then update the code to walk the returned fragments
    of the string, breaking the code at the correct position for the
    required space, with care taken to cope correctly with both l2r and
    r2l text.

Thanks for the report.
Comment 3 Ishayu 2025-09-11 07:50:53 UTC 
I would like to inquire if this issue is eligible for a bug bounty under your program.

https://artifex.com/developers-bug-bounty-program#2f4730dcc0c9

Additionally, could you help me assign a CVE for this vulnerability so it can be referenced in security advisories

https://mupdf.com/releases/cve

Thank You