CVE-2025-58113
An out-of-bounds read vulnerability exists in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor 10.7.3.401. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
PDF-XChange Co. Ltd PDF-XChange Editor 10.7.3.401
PDF-XChange Editor - https://www.pdf-xchange.com/product/pdf-xchange-editor
6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-125 - Out-of-bounds Read
PDF-XChange Editor is a powerful and feature-rich PDF viewer and editor. It offers a wide range of tools to view, create, edit, annotate, sign, and convert PDF files. It’s a popular alternative to heavier PDF applications like Adobe Acrobat.
PDF-XChange Editor supports the conversion of EMF files into PDFs. This vulnerability is related to the processing of EMF files during conversion.
An EMF (Enhanced Metafile Format) file stores images in a device-independent form. It begins with a header (EMR_HEADER) that contains information about the structure and contents of the metafile. The structure of the EMR_HEADER is as follows:
Offset Size Name
------ ---- --------------------------------------
0x00 0x04 recordType (0x00000001 )
0x04 0x04 recordSize
0x08 0x10 bounds
0x18 0x10 frame
0x28 0x04 recordSignature (0x464D4520)
0x2C 0x04 version
0x30 0x04 sizeInBytes
0x34 0x04 numOfRecords
0x38 0x02 Handles
0x3A 0x02 Reserved
Please note that the structure of EMR_HEADER shown is not complete; it only includes the relevant fields.
For the EMR_HEADER record, the recordType must be 0x00000001. The recordSize indicates the total size of the header record in bytes. The recordSignature field defines the record signature, which must have the value 0x464D4520 (FME ). The sizeInBytes field specifies the size of the metafile in bytes. The numOfRecords indicates the total number of records present in the metafile, including the EMR_HEADER.
This vulnerability is associated with the record type EMR_SMALLTEXTOUT.
The EMR_SMALLTEXTOUT record outputs a string. The structure of the EMR_SMALLTEXTOUT is as follows:
Offset Size Name
----- ---------- --------------------------------------
0x00 0x04 recordType (0x0000006C )
0x04 0x04 recordSize
0x08 0x04 x-coordinate
0x0C 0x04 y-coordinate
0x10 0x04 cChars
0x14 0x04 fuOptions
0x18 0x04 iGraphicsMode
0x1C 0x04 exScale
0x20 0x04 eyScale
0x24 0x10 Bounds (Optional)
0x34 y TextString
For the EMR_SMALLTEXTOUT record, the recordType value must be 0x0000006C. The fuOptions field is a set of flags that specify text output options. If fuOptions & 0x100 is not zero, the Bounds field is not present in the EMR_SMALLTEXTOUT record. Otherwise, if fuOptions & 0x100 is zero, the Bounds field is present in the record.
A vulnerability occurs when the recordSize of the EMR_SMALLTEXTOUT record is smaller than 0x34 while fuOptions & 0x100 is zero. In this scenario, the application attempts to read the Bounds field even though the record does not contain enough data, leading to an out-of-bounds read. This behavior can be observed while debugging with pageheap enabled.
0:017> p
Time Travel Position: B21A0:4F8
PDFXEditCore_x64!PXV_GetInstance+0x1dacf52:
00007ffd`055cd252 4d8d040e lea r8,[r14+rcx]
0:017> p
Time Travel Position: B21A0:4F9
PDFXEditCore_x64!PXV_GetInstance+0x1dacf56:
00007ffd`055cd256 4c89442478 mov qword ptr [rsp+78h],r8 ss:000000ca`6a5fcc28=000001f575494fd4
0:017> p
Time Travel Position: B21A0:4FA
PDFXEditCore_x64!PXV_GetInstance+0x1dacf5b:
00007ffd`055cd25b 458b0e mov r9d,dword ptr [r14] ds:000001f5`75494fd4=0000006c
0:017> p
Time Travel Position: B21A0:4FB
PDFXEditCore_x64!PXV_GetInstance+0x1dacf5e:
00007ffd`055cd25e 4181f901700000 cmp r9d,7001h
0:017> dd r14 ;<------------------------------------------------ (1)
000001f5`75494fd4 0000006c 00000028 000003e8 000003e8
000001f5`75494fe4 00000002 00000e00 00001b80 00001000
000001f5`75494ff4 00000000 00000000 d0d0d0d0 ???????
00001f5`75495004 ???????? ???????? ???????? ????????
[...]
:017> p
Time Travel Position: B21A0:503
PDFXEditCore_x64!PXV_GetInstance+0x1dacf8e:
00007ffd`055cd28e 418b9482a94ad703 mov edx,dword ptr [r10+rax*4+3D74AA9h] ds:00007ffd`06644bb9=02d002b6
0:017> p
Time Travel Position: B21A0:504
PDFXEditCore_x64!PXV_GetInstance+0x1dacf96:
00007ffd`055cd296 4903d2 add rdx,r10
0:017> p
Time Travel Position: B21A0:505
PDFXEditCore_x64!PXV_GetInstance+0x1dacf99:
00007ffd`055cd299 ffe2 jmp rdx {PDFXEditCore_x64!PXV_GetInstance+0x1daffb6 (00007ffd`055d02b6)} ;<-------------- (2)
0:017> p
Time Travel Position: B21A0:506
PDFXEditCore_x64!PXV_GetInstance+0x1daffb6:
00007ffd`055d02b6 418b4e14 mov ecx,dword ptr [r14+14h] ds:000001f5`75494fe8=00000e00
The content of the vulnerable EMR_SMALLTEXTOUT record can be observed at (1). At (2), a switch jump occurs based on the recordType field of the record.
0:017> p
Time Travel Position: B21A0:514
PDFXEditCore_x64!PXV_GetInstance+0x1dafff2:
00007ffd`055d02f2 8bf1 mov esi,ecx
0:017> p
Time Travel Position: B21A0:515
PDFXEditCore_x64!PXV_GetInstance+0x1dafff4:
00007ffd`055d02f4 4889742460 mov qword ptr [rsp+60h],rsi ss:000000ca`6a5fcc10=000000ca6a5fcc60
0:017> p
Time Travel Position: B21A0:516
PDFXEditCore_x64!PXV_GetInstance+0x1dafff9:
00007ffd`055d02f9 488d0c8d4c000000 lea rcx,[rcx*4+4Ch] ; <----------- (3)
0:017> p
Time Travel Position: B21A0:517
PDFXEditCore_x64!PXV_GetInstance+0x1db0001:
00007ffd`055d0301 e8bac920fe call PDFXEditCore_x64!DllUnregisterServer+0xd10 (00007ffd`037dccc0) ; <----------- (4)
0:017> r
rax=0000000000000044 rbx=000001f50086bff0 rcx=0000000000000054
rdx=00007ffd055d02b6 rsi=0000000000000002 rdi=0000000000000002
rip=00007ffd055d0301 rsp=000000ca6a5fcbb0 rbp=000000ca6a5fccb0
r8=00000000fffffff4 r9=000000000000006c r10=00007ffd028d0000
r11=000000ca6a5fcdb8 r12=00007ffd055d4490 r13=0000000000000000
r14=000001f575494fd4 r15=000000ca6a5fd1a0
iopl=0 nv up ei pl nz ac pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000213
PDFXEditCore_x64!PXV_GetInstance+0x1db0001:
00007ffd`055d0301 e8bac920fe call PDFXEditCore_x64!DllUnregisterServer+0xd10 (00007ffd`037dccc0)
0:017> p
Time Travel Position: B21A0:5A5
PDFXEditCore_x64!PXV_GetInstance+0x1db0006:
00007ffd`055d0306 488bd8 mov rbx,rax
0:017> r
rax=000001f577860ab0 rbx=000001f50086bff0 rcx=00000000ffffffff
rdx=0000000000000000 rsi=0000000000000002 rdi=0000000000000002
rip=00007ffd055d0306 rsp=000000ca6a5fcbb0 rbp=000000ca6a5fccb0
r8=000000000000001d r9=0000000000000000 r10=0000000000000ab0
r11=0000000000000000 r12=00007ffd055d4490 r13=0000000000000000
r14=000001f575494fd4 r15=000000ca6a5fd1a0
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
PDFXEditCore_x64!PXV_GetInstance+0x1db0006:
00007ffd`055d0306 488bd8 mov rbx,rax
0:017> dd rax ; <----------- (5)
000001f5`77860ab0 00000000 00000000 00000000 00000000
000001f5`77860ac0 00000000 00000000 00000000 00000000
000001f5`77860ad0 00000000 00000000 00000000 00000000
000001f5`77860ae0 00000000 00000000 00000000 00000000
000001f5`77860af0 00000000 00000000 00000000 00000000
000001f5`77860b00 00000000 00000000 00000000 00000000
000001f5`77860b10 00000000 00000000 00000000 00000000
000001f5`77860b20 00000000 00000000 00000000 00000000
[...]
0:017> p
Time Travel Position: B21A0:5AB
PDFXEditCore_x64!PXV_GetInstance+0x1db001f:
00007ffd`055d031f 89431c mov dword ptr [rbx+1Ch],eax ds:000001f5`77860acc=00000000
0:017> p
Time Travel Position: B21A0:5AC
PDFXEditCore_x64!PXV_GetInstance+0x1db0022:
00007ffd`055d0322 418b4620 mov eax,dword ptr [r14+20h] ds:000001f5`75494ff4=00000000
0:017> p
Time Travel Position: B21A0:5AD
PDFXEditCore_x64!PXV_GetInstance+0x1db0026:
00007ffd`055d0326 894320 mov dword ptr [rbx+20h],eax ds:000001f5`77860ad0=00000000
0:017> p
Time Travel Position: B21A0:5AE
PDFXEditCore_x64!PXV_GetInstance+0x1db0029:
00007ffd`055d0329 418b4618 mov eax,dword ptr [r14+18h] ds:000001f5`75494fec=00001b80
0:017> p
Time Travel Position: B21A0:5AF
PDFXEditCore_x64!PXV_GetInstance+0x1db002d:
00007ffd`055d032d 894318 mov dword ptr [rbx+18h],eax ds:000001f5`77860ac8=00000000
0:017> p
Time Travel Position: B21A0:5B0
PDFXEditCore_x64!PXV_GetInstance+0x1db0030:
00007ffd`055d0330 41f7461400010000 test dword ptr [r14+14h],100h ds:000001f5`75494fe8=00000e00 ;<--------- (6)
0:017> p
Time Travel Position: B21A0:5B1
PDFXEditCore_x64!PXV_GetInstance+0x1db0038:
00007ffd`055d0338 750e jne PDFXEditCore_x64!PXV_GetInstance+0x1db0048 (00007ffd`055d0348) [br=0]
0:017> p
Time Travel Position: B21A0:5B2
PDFXEditCore_x64!PXV_GetInstance+0x1db003a:
00007ffd`055d033a 488d4b38 lea rcx,[rbx+38h]
0:017> p
Time Travel Position: B21A0:5B3
PDFXEditCore_x64!PXV_GetInstance+0x1db003e:
00007ffd`055d033e 498d5624 lea rdx,[r14+24h]
0:017> p
Time Travel Position: B21A0:5B4
PDFXEditCore_x64!PXV_GetInstance+0x1db0042:
00007ffd`055d0342 ff15e8976f00 call qword ptr [PDFXEditCore_x64!PXV_GetInstance+0x24a9830 (00007ffd`05cc9b30)] ds:00007ffd`05cc9b30={USER32!CopyRect (00007ffd`5cfd4110)} ;<--------- (7)
0:017> dd rdx ;<--------------------------- (8)
000001f5`75494ff8 00000000 d0d0d0d0 ???????? ????????
000001f5`75495008 ???????? ???????? ???????? ????????
000001f5`75495018 ???????? ???????? ???????? ????????
000001f5`75495028 ???????? ???????? ???????? ????????
000001f5`75495038 ???????? ???????? ???????? ????????
000001f5`75495048 ???????? ???????? ???????? ????????
000001f5`75495058 ???????? ???????? ???????? ????????
000001f5`75495068 ???????? ???????? ???????? ????????
0:017> dd rcx
000001f5`77860ae8 00000000 00000000 00000000 00000000
000001f5`77860af8 00000000 00000000 00000000 00000000
000001f5`77860b08 00000000 00000000 00000000 00000000
000001f5`77860b18 00000000 00000000 00000000 00000000
000001f5`77860b28 00000000 00000000 00000000 00000000
000001f5`77860b38 00000000 00000000 00000000 00000000
000001f5`77860b48 00000000 00000000 00000000 00000000
000001f5`77860b58 00000000 00000000 00000000 00000000
At (3), the size of the destination buffer is calculated. The method called at (4) allocates the destination buffer. The destination buffer is examined at (5). At (6), it is checked whether fuOptions & 0x100 is zero. In this case, it evaluates to zero, so the CopyRect function is called to copy the Bounds field. However, at (8), it is observed that the record does not contain the complete Bounds field. As a result, an out-of-bounds read occurs in the CopyRect function. This can be observed at the time of the crash.
0:017> g
(304.358): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: B21A1:0
USER32!CopyRect+0xa:
00007ffd`5cfd411a 0f1002 movups xmm0,xmmword ptr [rdx] ds:000001f5`75494ff8=????????????????????????????????
0:017> u
USER32!CopyRect+0xa:
00007ffd`5cfd411a 0f1002 movups xmm0,xmmword ptr [rdx]
00007ffd`5cfd411d b801000000 mov eax,1
00007ffd`5cfd4122 f30f7f01 movdqu xmmword ptr [rcx],xmm0
00007ffd`5cfd4126 c3 ret
00007ffd`5cfd4127 cc int 3
00007ffd`5cfd4128 33c0 xor eax,eax
00007ffd`5cfd412a c3 ret
00007ffd`5cfd412b cc int 3
0:017> kb
# RetAddr : Args to Child : Call Site
00 00007ffd`055d0348 : 000001f5`0086bff0 000000ca`6a5fccb0 00000000`00000002 000001f5`00b2bd20 : USER32!CopyRect+0xa
01 00007ffd`5ac8e8df : 00000000`00000294 000001f5`00b2bd20 000001f5`00b2bd20 000001f5`00b2bd20 : PDFXEditCore_x64!PXV_GetInstance+0x1db0048
02 00007ffd`5b7ad432 : 00000000`00000246 000000ca`6a5fd041 00007ffd`5ab11284 00007ffd`5aca837f : gdi32full!bInternalPlayEMF+0x2519f
03 00007ffd`055cc446 : 00000000`00000014 000000ca`6a5fd041 000001f5`77910100 000000ca`6a5fd1a0 : GDI32!EnumEnhMetaFileStub+0x52
04 00007ffd`03c064ca : 000000ca`6a5fd1a0 00000000`00000000 000001f5`4b2177d0 000000ca`6a5fd4f0 : PDFXEditCore_x64!PXV_GetInstance+0x1dac146
05 00007ffd`03c1c279 : 000001f5`77870070 000001f5`77356d50 00000000`00000000 000001f5`4e7fbfc8 : PDFXEditCore_x64!PXV_GetInstance+0x3e61ca
06 00007ffd`0391db65 : 000000ca`00001260 000001f5`511e5f40 000001f5`511e5f40 00000000`00000000 : PDFXEditCore_x64!PXV_GetInstance+0x3fbf79
07 00007ffd`039eae00 : 000001f5`747fe870 000001f5`773953f0 00000000`00000000 000001f5`773953f0 : PDFXEditCore_x64!PXV_GetInstance+0xfd865
08 00007ffd`04973633 : 000001f5`77356b40 00000000`ffffffff 000001f5`773953f0 000001f5`5bd50170 : PDFXEditCore_x64!PXV_GetInstance+0x1cab00
09 00007ffd`048c0df7 : 00000000`ffffffff 00000000`00000304 000001f5`539a0fd0 00000000`00000000 : PDFXEditCore_x64!PXV_GetInstance+0x1153333
0a 00007ffd`5cd77374 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PDFXEditCore_x64!PXV_GetInstance+0x10a0af7
0b 00007ffd`5d1dcc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0c 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:017> lmDvm PDFXEditCore_x64
Browse full module list
start end module name
00007ffd`028d0000 00007ffd`06e45000 PDFXEditCore_x64 (export symbols) PDFXEditCore.x64.dll
Loaded symbol image file: PDFXEditCore.x64.dll
Mapped memory image file: C:\Program Files\Tracker Software\PDF Editor\PDFXEditCore.x64.dll
Image path: C:\Program Files\Tracker Software\PDF Editor\PDFXEditCore.x64.dll
Image name: PDFXEditCore.x64.dll
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Sep 22 13:45:19 2025 (68D1B55F)
CheckSum: 0446B8DD
ImageSize: 04575000
File version: 10.7.3.401
Product version: 10.7.3.401
File flags: 0 (Mask 17)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: PDF-XChange Co Ltd.
ProductName: PDF-XChange® Editor
InternalName: PDFXEditCore
OriginalFilename: PDFXEditCore.dll
ProductVersion: 10.7.3.401
FileVersion: 10.7.3.401
PrivateBuild:
SpecialBuild:
FileDescription: PDF-XChange Editor Core API
LegalCopyright: Copyright (C) 2001-25 by PDF-XChange Co Ltd.
LegalTrademarks: PDF-XChange Co Ltd.
Comments: PDF-XChange® Editor
Exploiting this vulnerability allows for the reading of arbitrary memory within the process, potentially disclosing sensitive information.
2025-10-23 - Vendor Disclosure
2025-10-28 - Vendor Patch Release
2025-12-02 - Public Release
Discovered by KPC of Cisco Talos.