CVE-2020-6146

Name of the Vulnerable Software and Affected Versions Nitro Pro versions 13.13.2.242 through 13.16.2.300

Description The issue is related to a code execution problem in the rendering functionality. When a page's contents are drawn and the stroke color is selected from an 'ICCBased' colorspace, the application reads a length from the file and uses it as a loop sentinel for writing data into an object member. This results in a heap-based buffer overflow due to the object member being a buffer of a static size allocated on the heap. A specially crafted document must be loaded by a victim to trigger this issue.

Recommendations For versions 13.13.2.242 through 13.16.2.300, consider avoiding the use of 'ICCBased' colorspace when drawing page contents until a patch is available. As a temporary workaround, restrict the loading of specially crafted documents to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.