Talos Vulnerability Report


NitroPDF CharProcs Remote Code Execution Vulnerability

October 9, 2019
CVE Number



An exploitable Use After Free vulnerability exists in the CharProcs parsing functionality of NitroPDF. A specially crafted PDF can cause a type confusion, resulting in a Use After Free. An attacker can craft a malicious PDF to trigger this vulnerability.

Tested Versions


Product URLs


CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H


CWE-416: Use After Free


NitroPDF is a popular PDF tool used to create and edit PDF files. NitroPDF has a wide array of features for automated PDF creation as well as reviewing differences between various PDFs.

The module tested for this advisory is below:

00007ffb`eb750000 00007ffb`ec559000   npdf       (export symbols)       npdf.dll
    Loaded symbol image file: npdf.dll
    Image path: C:\Program Files\Nitro\Pro\12\npdf.dll
    Image name: npdf.dll
    Browse all global symbols  functions  data
    Timestamp:        Tue Mar 26 15:48:15 2019 (5C9A900F)
    CheckSum:         00D05033
    ImageSize:        00E09000
    File version:
    Product version:

PDF Font Objects have a variety of attributes. One of which is the CharProcs. This attribute points to a dictionary of content streams that tells the renderer how to render the glyph for the given character. In particular, the content stream must have a d0 or d1 operator as it's first operator, followed by a series of other graphics objects. An example of how these CharProcs are used is below:

11 0 obj
<< /Length 39 >>
1000 0 0 0 750 750 d1
0 0 750 750 re

12 0 obj
/Type /Font
/Subtype /Type3
/FontBBox [0 0 750 750]
/FontMatrix [0.001 0 0 0.061 0 0]
/CharProcs 16 0 R
/Encoding 17 0 R
/FirstChar 97
/LastChar 98
/Widths [0 0]

16 0 obj
    /square 11 0 R

Above we see a CharProcs object point to the object referenced at 16 0. This object contains a square pointing to the object referenced at 11 0. This object contains the content stream for the square glyph.

There are a variety of other objects valid for a PDF with their own set of valid content streams. One example is the Text object. The Text object can contain a content stream with information on how to position text in the document. An example of a Text object is shown below:

22 0 obj
/Length 39>>
/F1 12 Tf
50 685 Tr
(a) Tj

The parser is expecting the CharProcs content stream to contain valid instructions on how to paint the glyph. If an attacker replaces the CharProcs content stream for a particular Text object content stream, a buffer is allocated for a TypeFont.

local_RAX_38 = operator_new(0x2e0);
if (local_RAX_38 == 0x0) {
    type_font = 0x0;
else {
    type_font = zero_obj(local_RAX_38);
local_18 = type_font;
init_obj(type_font, &pdf_page_viewer->field_0xc0);

When creating another TypeFont for the larger PageViewer object, this buffer is freed.

pTVar4 = operator_new(0x2e0);
if (pTVar4 == 0x0) {
    pTVar4 = 0x0;
else {
    pTVar4 = zero_obj(pTVar4);
local_40 = pTVar4;
init_obj(pTVar4, page_viewer->field_0xc0);

A handle to the original freed buffer still exists in the overarching PageViewer object. This original buffer is later passed as a parameter in a functioned called by the parent function. This buffer being reused to read data that should be from the original TypeFont causes a use after free, potentially resulting in code execution.

Crash Information

(455c.aa8): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00007ffb`eb934f2f 0f104208        movups  xmm0,xmmword ptr [rdx+8] ds:000001a5`748c0d28=????????????????

!analyze -v


2019-05-07 - Vendor disclosure
2019-07-02 - 60 day follow up
2019-07-29 - 2nd follow up (90 days approaching notice)
2019-08-06 - 3rd follow up
2019-08-07 - Vendor acknowledged & advised prior emails went to spam folder; Talos issued copy of report
2019-09-03 - Talos granted disclosure extension to 2019-09-10
2019-09-05 - Vendor advised issues will be addressed in a future release (timeline unknown)
2019-10-09 - Public Disclosure


Discovered by Cory Duplantis and Aleksander Nikolic of Cisco Talos.