CVE-2025-47152
An out-of-bounds read vulnerability exists in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor 10.6.0.396. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
PDF-XChange Co. Ltd PDF-XChange Editor 10.6.0.396
PDF-XChange Editor - https://www.pdf-xchange.com/product/pdf-xchange-editor
6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-125 - Out-of-bounds Read
PDF-XChange Editor is a powerful and feature-rich PDF viewer and editor. It offers a wide range of tools to view, create, edit, annotate, sign, and convert PDF files. It’s a popular alternative to heavier PDF applications like Adobe Acrobat.
PDF-XChange Editor supports the conversion of EMF files into PDFs. This vulnerability is related to the processing of EMF files during conversion.
An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:
Offset Size Name
------ ---- --------------------------------------
0x00 0x04 recordType (0x00000001 )
0x04 0x04 recordSize
0x08 0x10 bounds
0x18 0x10 frame
0x28 0x04 recordSignature (0x464D4520)
0x2C 0x04 version
0x30 0x04 sizeInBytes
0x34 0x04 numOfRecords
0x38 0x02 Handles
0x3A 0x02 Reserved
Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.
For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.
This vulnerability is associated with the record type EMR_EXTCREATEFONTINDIRECTW.
The EMR_EXTCREATEFONTINDIRECTW defines a logical font. The structure of the EMR_EXTCREATEFONTINDIRECTW is as follows:
Offset Size Name
----- ---------- --------------------------------------
0x00 0x04 recordType (0x00000052 )
0x04 0x04 recordSize
0x08 0x04 ihFonts
0x0C 0x04 Height
0x10 0x04 Width
0x14 0x04 Escapement
0x18 0x04 Orientation
0x1C 0x01 Italic
0x1D 0x01 Underline
0x1E 0x01 StrikeOut
0x1F 0x01 CharSet
0x20 0x01 OutPrecision
0x21 0x01 ClipPrecision
0x22 0x01 StrikeOut
0x23 0x01 CharSet
0x24 0x01 OutPrecision
0x25 0x01 ClipPrecision
0x26 0x01 Quality
0x27 0x01 PitchAndFamily
0x28 0x40 Facename
0x68 0x80 Fullname
Please note that the structure of EMR_EXTCREATEFONTINDIRECTW shown is not complete; it only includes the relevant fields.
For the EMR_EXTCREATEFONTINDIRECTW record, the recordType value must be 0x00000052. Here, the Facename field is important. It specifies the typeface name of the font. Its maximum length is 32 Unicode characters. If the length is less than 32 characters, the field must include a terminating NULL character
This vulnerability occurs because application does not properly validate the length of the Facename field and relies solely on the presence of a NULL-terminating character to calculate its length. If the Facename field does not include a NULL-terminated string, an out-of-bounds read occurs. This behavior can be observed during debugging with pageheap enabled.
0:009> p
Time Travel Position: 5EC4A:7A0
PDFXEditCore_x64!PXV_GetInstance+0x1b65953:
00007ffb`110193b3 4c8d040e lea r8,[rsi+rcx]
0:009> p
Time Travel Position: 5EC4A:7A1
PDFXEditCore_x64!PXV_GetInstance+0x1b65957:
00007ffb`110193b7 4c89442478 mov qword ptr [rsp+78h],r8 ss:00000022`c06fcd78=000001ad430b6e84
0:009> p
Time Travel Position: 5EC4A:7A2
PDFXEditCore_x64!PXV_GetInstance+0x1b6595c:
00007ffb`110193bc 448b26 mov r12d,dword ptr [rsi] ds:000001ad`430b6e84=00000052
0:009> dd rsi <------------------------------------- (1)
000001ad`430b6e84 00000052 00000170 00000002 ffffffe4
000001ad`430b6e94 00000000 00000000 00000000 00000190
000001ad`430b6ea4 02000000 00020008 00320037 0077006e
000001ad`430b6eb4 006f0073 00790077 00620067 00730079
000001ad`430b6ec4 00670073 ff740069 ffffffff fe00ffff
000001ad`430b6ed4 c5fefebb fec5fefe fefed1fe dcfefed1
000001ad`430b6ee4 fedcfefe d1d3bfd1 8284d3bf 89828489
000001ad`430b6ef4 666c6866 68666c68 6c68666c 666c6866
0:009> p
Time Travel Position: 5EC4A:7A3
PDFXEditCore_x64!PXV_GetInstance+0x1b6595f:
00007ffb`110193bf 418bc4 mov eax,r12d
0:009> p
Time Travel Position: 5EC4A:7A4
PDFXEditCore_x64!PXV_GetInstance+0x1b65962:
00007ffb`110193c2 4533ff xor r15d,r15d
0:009> p
Time Travel Position: 5EC4A:7A5
PDFXEditCore_x64!PXV_GetInstance+0x1b65965:
00007ffb`110193c5 4181fc01700000 cmp r12d,7001h
0:009> p
Time Travel Position: 5EC4A:7A6
PDFXEditCore_x64!PXV_GetInstance+0x1b6596c:
00007ffb`110193cc 0f878d350000 ja PDFXEditCore_x64!PXV_GetInstance+0x1b68eff (00007ffb`1101c95f) [br=0]
0:009> p
Time Travel Position: 5EC4A:7A7
PDFXEditCore_x64!PXV_GetInstance+0x1b65972:
00007ffb`110193d2 0f8464350000 je PDFXEditCore_x64!PXV_GetInstance+0x1b68edc (00007ffb`1101c93c) [br=0]
0:009> p
Time Travel Position: 5EC4A:7A8
PDFXEditCore_x64!PXV_GetInstance+0x1b65978:
00007ffb`110193d8 ffc8 dec eax
0:009> p
Time Travel Position: 5EC4A:7A9
PDFXEditCore_x64!PXV_GetInstance+0x1b6597a:
00007ffb`110193da 83f875 cmp eax,75h
0:009> p
Time Travel Position: 5EC4A:7AA
PDFXEditCore_x64!PXV_GetInstance+0x1b6597d:
00007ffb`110193dd 0f877c350000 ja PDFXEditCore_x64!PXV_GetInstance+0x1b68eff (00007ffb`1101c95f) [br=0]
0:009> p
Time Travel Position: 5EC4A:7AB
PDFXEditCore_x64!PXV_GetInstance+0x1b65983:
00007ffb`110193e3 4c8d0d166c6cfd lea r9,[PDFXEditCore_x64 (00007ffb`0e6e0000)]
0:009> p
Time Travel Position: 5EC4A:7AC
PDFXEditCore_x64!PXV_GetInstance+0x1b6598a:
00007ffb`110193ea 410fb68401ac6fb703 movzx eax,byte ptr [r9+rax+3B76FACh] ds:00007ffb`12256ffd=3b
0:009> p
Time Travel Position: 5EC4A:7AD
PDFXEditCore_x64!PXV_GetInstance+0x1b65993:
00007ffb`110193f3 418b94818c6eb703 mov edx,dword ptr [r9+rax*4+3B76E8Ch] ds:00007ffb`12256f78=0293be61
0:009> p
Time Travel Position: 5EC4A:7AE
PDFXEditCore_x64!PXV_GetInstance+0x1b6599b:
00007ffb`110193fb 4903d1 add rdx,r9
0:009> p
Time Travel Position: 5EC4A:7AF
PDFXEditCore_x64!PXV_GetInstance+0x1b6599e:
00007ffb`110193fe ffe2 jmp rdx {PDFXEditCore_x64!PXV_GetInstance+0x1b68401 (00007ffb`1101be61)} ;<---------- (2)
0:009> p
Time Travel Position: 5EC4A:7B0
PDFXEditCore_x64!PXV_GetInstance+0x1b68401:
00007ffb`1101be61 8b7e08 mov edi,dword ptr [rsi+8] ds:000001ad`430b6e8c=00000002
The content of the EMR_EXTCREATEFONTINDIRECTW record can be observed at (1). At (2), a switch jump occurs on the basis of the recordType field of the record.
0:009>
Time Travel Position: 5EC4A:8A1
PDFXEditCore_x64!PXV_GetInstance+0x1b6be30:
00007ffb`1101f890 4053 push rbx
0:009> pc
Time Travel Position: 5EC4A:8B1
PDFXEditCore_x64!PXV_GetInstance+0x1b6be70:
00007ffb`1101f8d0 e85bbc5dff call PDFXEditCore_x64!PXV_GetInstance+0x1147ad0 (00007ffb`105fb530)
0:009> r
rax=0000000000000190 rbx=000001ad52ce03f0 rcx=00007ffb12599f70
rdx=000001ad430b6eac rsi=000001ad52ce03f0 rdi=000001ad430b6e90
rip=00007ffb1101f8d0 rsp=00000022c06fcc90 rbp=00000022c06fce00
r8=0000000000000300 r9=0000000000000000 r10=0000000000000030
r11=00007ffb0e6e0000 r12=0000000000000052 r13=000001ad52ce03f0
r14=00000022c06fd2f0 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
PDFXEditCore_x64!PXV_GetInstance+0x1b6be70:
00007ffb`1101f8d0 e85bbc5dff call PDFXEditCore_x64!PXV_GetInstance+0x1147ad0 (00007ffb`105fb530); <-------------- (3)
0:009> db rdx ; <---------------- (4)
000001ad`430b6eac 37 00 32 00 6e 00 77 00-73 00 6f 00 77 00 79 00 7.2.n.w.s.o.w.y.
000001ad`430b6ebc 67 00 62 00 79 00 73 00-73 00 67 00 69 00 74 ff g.b.y.s.s.g.i.t.
000001ad`430b6ecc ff ff ff ff ff ff 00 fe-bb fe fe c5 fe fe c5 fe ................
000001ad`430b6edc fe d1 fe fe d1 fe fe dc-fe fe dc fe d1 bf d3 d1 ................
000001ad`430b6eec bf d3 84 82 89 84 82 89-66 68 6c 66 68 6c 66 68 ........fhlfhlfh
000001ad`430b6efc 6c 66 68 6c 66 68 6c 66-68 6c 66 68 6c 66 68 6c lfhlfhlfhlfhlfhl
000001ad`430b6f0c 66 68 6c 66 68 6c 66 68-6c 66 68 6c 66 68 6c 66 fhlfhlfhlfhlfhlf
000001ad`430b6f1c 68 6c 7b 7d 80 7b 7d 80-84 85 88 84 85 88 6f 70 hl{}.{}.......op
[...]
0:009> g
in crash function and rdx is vuln buffer
000001ad`430b6eac 00320037 0077006e 006f0073 00790077
000001ad`430b6ebc 00620067 00730079 00670073 ff740069
000001ad`430b6ecc ffffffff fe00ffff c5fefebb fec5fefe
000001ad`430b6edc fefed1fe dcfefed1 fedcfefe d1d3bfd1
000001ad`430b6eec 8284d3bf 89828489 666c6866 68666c68
000001ad`430b6efc 6c68666c 666c6866 68666c68 6c68666c
000001ad`430b6f0c 666c6866 68666c68 6c68666c 666c6866
000001ad`430b6f1c 7d7b6c68 807d7b80 84888584 706f8885
Time Travel Position: 5EC4B:1584
PDFXEditCore_x64!PXV_GetInstance+0x9880:
00007ffb`0f4bd2e0 4885d2 test rdx,rdx
0:009> p
Time Travel Position: 5EC4B:1585
PDFXEditCore_x64!PXV_GetInstance+0x9883:
00007ffb`0f4bd2e3 7417 je PDFXEditCore_x64!PXV_GetInstance+0x989c (00007ffb`0f4bd2fc) [br=0]
0:009> p
Time Travel Position: 5EC4B:1586
PDFXEditCore_x64!PXV_GetInstance+0x9885:
00007ffb`0f4bd2e5 48c7c7ffffffff mov rdi,0FFFFFFFFFFFFFFFFh
0:009> p
Time Travel Position: 5EC4B:1587
PDFXEditCore_x64!PXV_GetInstance+0x988c:
00007ffb`0f4bd2ec 0f1f4000 nop dword ptr [rax]
0:009> p
Time Travel Position: 5EC4B:1588
PDFXEditCore_x64!PXV_GetInstance+0x9890:
00007ffb`0f4bd2f0 48ffc7 inc rdi ; <------------- (5)
0:009> p
Time Travel Position: 5EC4B:1589
PDFXEditCore_x64!PXV_GetInstance+0x9893:
00007ffb`0f4bd2f3 6644392c7a cmp word ptr [rdx+rdi*2],r13w ds:000001ad`430b6eac=0037 ;<----------- (6)
0:009> r
rax=0000000000000000 rbx=0000000000000001 rcx=00007ffb12599fb8
rdx=000001ad430b6eac rsi=00007ffb12599fb8 rdi=0000000000000000
rip=00007ffb0f4bd2f3 rsp=00000022c06fcab0 rbp=000001ad430b6eac
r8=00000000ffffffff r9=0000000000000202 r10=000000000000fdff
r11=0000000000002200 r12=0000000000000000 r13=0000000000000000
r14=000001ad430b6eac r15=0000000000000000
iopl=0 nv up ei pl zr ac po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000256
PDFXEditCore_x64!PXV_GetInstance+0x9893:
00007ffb`0f4bd2f3 6644392c7a cmp word ptr [rdx+rdi*2],r13w ds:000001ad`430b6eac=0037
0:009> p
Time Travel Position: 5EC4B:158A
PDFXEditCore_x64!PXV_GetInstance+0x9898:
00007ffb`0f4bd2f8 75f6 jne PDFXEditCore_x64!PXV_GetInstance+0x9890 (00007ffb`0f4bd2f0) [br=1]
0:009> p
Time Travel Position: 5EC4B:158B
PDFXEditCore_x64!PXV_GetInstance+0x9890:
00007ffb`0f4bd2f0 48ffc7 inc rdi ;<----------
0:009> p
Time Travel Position: 5EC4B:158C
PDFXEditCore_x64!PXV_GetInstance+0x9893:
00007ffb`0f4bd2f3 6644392c7a cmp word ptr [rdx+rdi*2],r13w ds:000001ad`430b6eae=0032
0:009> p
Time Travel Position: 5EC4B:158D
PDFXEditCore_x64!PXV_GetInstance+0x9898:
00007ffb`0f4bd2f8 75f6 jne PDFXEditCore_x64!PXV_GetInstance+0x9890 (00007ffb`0f4bd2f0) [br=1]
0:009> p
Time Travel Position: 5EC4B:158E
PDFXEditCore_x64!PXV_GetInstance+0x9890:
00007ffb`0f4bd2f0 48ffc7 inc rdi
0:009> p
Time Travel Position: 5EC4B:158F
PDFXEditCore_x64!PXV_GetInstance+0x9893:
00007ffb`0f4bd2f3 6644392c7a cmp word ptr [rdx+rdi*2],r13w ds:000001ad`430b6eb0=006e
At (3), a method is called to parse the Facename field. The Facename field is examined at (4). Inside the method, a loop runs to calculate the length of the string and stores the length in the RDI register at (5). The loop exits only when a NULL-terminating character is observed. If the Facename field does not contain NULL bytes, the loop continues and reads out-of-bounds bytes. This can be observed at the time of the crash.
0:009> g
(19bc.1860): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 5EC4D:0
PDFXEditCore_x64!PXV_GetInstance+0x9893:
00007ffb`0f4bd2f3 6644392c7a cmp word ptr [rdx+rdi*2],r13w ds:000001ad`430b7000=????
0:009> u
PDFXEditCore_x64!PXV_GetInstance+0x9893:
00007ffb`0f4bd2f3 6644392c7a cmp word ptr [rdx+rdi*2],r13w
00007ffb`0f4bd2f8 75f6 jne PDFXEditCore_x64!PXV_GetInstance+0x9890 (00007ffb`0f4bd2f0)
00007ffb`0f4bd2fa eb03 jmp PDFXEditCore_x64!PXV_GetInstance+0x989f (00007ffb`0f4bd2ff)
00007ffb`0f4bd2fc 418bff mov edi,r15d
00007ffb`0f4bd2ff ff15037f2a02 call qword ptr [PDFXEditCore_x64!PXV_GetInstance+0x22b17a8 (00007ffb`11765208)]
00007ffb`0f4bd305 488bce mov rcx,rsi
00007ffb`0f4bd308 e883f2ffff call PDFXEditCore_x64!PXV_GetInstance+0x8b30 (00007ffb`0f4bc590)
00007ffb`0f4bd30d 84c0 test al,al
0:009> dd000001ad`430b7000
000001ad`430b7000 ???????? ???????? ???????? ????????
000001ad`430b7010 ???????? ???????? ???????? ????????
000001ad`430b7020 ???????? ???????? ???????? ????????
000001ad`430b7030 ???????? ???????? ???????? ????????
000001ad`430b7040 ???????? ???????? ???????? ????????
000001ad`430b7050 ???????? ???????? ???????? ????????
000001ad`430b7060 ???????? ???????? ???????? ????????
000001ad`430b7070 ???????? ???????? ???????? ????????
0:009> kb
# RetAddr : Args to Child : Call Site
00 00007ffb`105fb6a2 : 00000000`00000000 00000000`00000000 00000000`00000005 000001ad`430b6eac : PDFXEditCore_x64!PXV_GetInstance+0x9893
01 00007ffb`105fb5b6 : 00000000`00000000 000001ad`430b6eac 00000000`00000000 00007ffb`0f794084 : PDFXEditCore_x64!PXV_GetInstance+0x1147c42
02 00007ffb`1101f8d5 : 000001ad`52ce03f0 00000022`c06fce00 000001ad`52ce03f0 000001ad`430b6e90 : PDFXEditCore_x64!PXV_GetInstance+0x1147b56
03 00007ffb`1101bfcf : 000001ad`34f56fb0 00000022`c06fce00 000001ad`430b6e84 000001ad`36d7efc0 : PDFXEditCore_x64!PXV_GetInstance+0x1b6be75
04 00007ffb`6e98ed9f : 00000000`00000244 000001ad`1cf1cd20 000001ad`1cf1cd20 000001ad`1cf1cd20 : PDFXEditCore_x64!PXV_GetInstance+0x1b6856f
05 00007ffb`6fc5d432 : 00000000`00000246 00000022`c06fd191 00007ffb`6e661284 00007ffb`6e9a883f : gdi32full!bInternalPlayEMF+0x2564f
06 00007ffb`110185b6 : 00000000`00000014 00000022`c06fd191 000001ad`52bd01d0 00000022`c06fd2f0 : GDI32!EnumEnhMetaFileStub+0x52
07 00007ffb`0f89e0c8 : 00000022`c06fd2f0 00000000`00000000 000001ad`4c4c6f70 00000022`c06fd690 : PDFXEditCore_x64!PXV_GetInstance+0x1b64b56
08 00007ffb`0f8b47b8 : 000001ad`52c000f0 000001ad`1800d1a0 00000000`00000000 00000022`c06fd5c0 : PDFXEditCore_x64!PXV_GetInstance+0x3ea668
09 00007ffb`0f5b3675 : 00000022`000011ae 000001ad`23b45400 000001ad`23b45400 00000000`00000000 : PDFXEditCore_x64!PXV_GetInstance+0x400d58
0a 00007ffb`0f684163 : 000001ad`41f43a30 000001ad`41f43a70 00000000`00000000 00000000`00000000 : PDFXEditCore_x64!PXV_GetInstance+0xffc15
0b 00007ffb`105ec9a3 : 000001ad`1800d050 00000000`ffffffff 00000000`00000000 000001ad`41f43a70 : PDFXEditCore_x64!PXV_GetInstance+0x1d0703
0c 00007ffb`1053b997 : 00000000`ffffffff 00000000`000001f0 000001ad`31dddfd0 00000000`00000000 : PDFXEditCore_x64!PXV_GetInstance+0x1138f43
0d 00007ffb`6fa67374 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PDFXEditCore_x64!PXV_GetInstance+0x1087f37
0e 00007ffb`70a7cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0f 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.
2025-06-18 - Vendor Disclosure
2025-07-22 - Vendor Patch Release
2025-08-05 - Public Release
Discovered by KPC of Cisco Talos.