I just patched this in commit 6891f957.  Thanks for the heads up!

On Wed, 2021-03-03 at 21:53 +0100, Léo Le Bouter wrote:
> CVE-2021-3407	24.02.21 00:15
> A flaw was found in mupdf 1.18.0. Double free of object during
> linearization may lead to memory corruption and other potential
> consequences.
> 
> mupdf has made no release yet, so you need to cherry-pick the commit: 
> https://git.ghostscript.com/?p=mupdf.git;a=log;h=cee7cefc610d42fd383b3c80c12cbc675443176a