Security researchers spotted a pair of memory corruption vulnerabilities in Artifex MuPDF render, which have since been patched, according to a Talos blog post.
Both could lead to arbitrary code executive, the company reported.
Aleksandar Nikolic discovered TALOS-2016-0242 – MuPDF Fitz library font glyph scaling Code Execution Vulnerability, which Talos said is a heap out-of-bounds write vulnerability that shows up in the glyph scaling code.
Nikolic and Cory Duplantis spotted TALOS-2016-0243 – MuPDF Parser Code Execution Vulnerability, which the company said is a heap-based buffer overflow flaw found in JBIG2 image parsing for those images embedded in PDFs.
Attackers could exploit the vulnerabilities by tailoring a PDF as an email attachment or download for a victim to open, Talos said.