Quoting from OSS-sec:

Title: Heap overflow vulns in MuPDF
Author: Yu Hong, yu.hong () chaitin com;Zheng Jihong,jihong.zheng () chaitin com
Data: 2016-08-01
Dowload Site: http://ghostscript.com/download;http://mupdf.com/downloads/
Vendor: Ghostscript
----------------------------------------------------------
Vulnerability:
Recently,I found a heap overflow vulnerability that cause this crash .
I thought it a dangerous vulnerability because there are so many function
point in the heap and the program have important the function "system".

The location of this vulnerability is at "pdf_load_mesh_params" function,at
 "source/pdf/pdf-shade.c" .

obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
if (pdf_array_len(ctx, obj) >= 6)
{
n = (pdf_array_len(ctx, obj) - 4) / 2;
shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
shade->u.m.y1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 3));
for (i = 0; i < n; i++)
{
shade->u.m.c0[i] = pdf_to_real(ctx, pdf_array_get(ctx, obj, 4 + i * 2));
shade->u.m.c1[i] = pdf_to_real(ctx, pdf_array_get(ctx, obj, 5 + i * 2));
}
}



the length of array return from "pdf_array_len"  not be checked. But the
max size of "shade->u.m.C0/C1" is defined as a macro(32 as default). So if
I make a pdf which have a large decode array. This code will cause a heap
overflow .

And the overflow data could be control, And on the memory I overflow , I
found a struct which full of function point. Maybe I can let it point to
got table for a chance to call "system"

issue:
http://bugs.ghostscript.com/show_bug.cgi?id=696954

fix code:
http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e

PoC:

reference attachment


CVE-2016-6525



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6525
http://seclists.org/oss-sec/2016/q3/241