Summary: | Using unallocated memory when parsing image... | ||
---|---|---|---|
Product: | jbig2dec | Reporter: | Sebastian Rasmussen <sebastian.rasmussen> |
Component: | Parsing | Assignee: | Henry Stiles <henry.stiles> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | masaki.ushizaka, shailesh.mistry |
Priority: | P4 | ||
Version: | 0.10 | ||
Hardware: | PC | ||
OS: | Linux | ||
Customer: | Word Size: | --- | |
Attachments: |
globals.jbig2
img.jbig2 scan.pdf Patch for Bug690723 |
Description
Sebastian Rasmussen
2009-08-20 03:12:23 UTC
Created attachment 5317 [details]
globals.jbig2
Created attachment 5318 [details]
img.jbig2
Created attachment 5319 [details]
scan.pdf
... and this would be the original pdf-file.
Created attachment 8287 [details] Patch for Bug690723 This bug only appears when the final colour change happens right at the width of the image and the width is divisible by 8. The patch looks for this specific condition and prevents the buffer read/write overrun. The patch has been tested on the regression cluster and using valgrind without errors. (In reply to comment #4) > Created an attachment (id=8287) [details] > Patch for Bug690723 > > This bug only appears when the final colour change happens right at the width > of the image and the width is divisible by 8. The patch looks for this specific > condition and prevents the buffer read/write overrun. > > The patch has been tested on the regression cluster and using valgrind without > errors. I'm not quite clear on this one. It looks to me like the original intent was a precondition that x1 and x0 would not overflow or underflow. This is enforced by clamping to the width as in: a1 = a0 + white_run; a2 = a1 + black_run; if (a1 > mmr->width) a1 = mmr->width; if (a2 > mmr->width) a2 = mmr->width; jbig2_set_bits(dst, a1, a2); I didn't step through in the debugger but notice here: jbig2_decode_mmr_consume(mmr, 1); b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c); if (c) jbig2_set_bits(dst, a0, b1); we have the colour transition you talk about but no clamping b1 as above. I don't know if that is the exact problem but I think it best to keep the precondition (x1 and x0 won't go out of bounds) and not add another parameter to address work around the precondition for a particular case. The final patch used was --- a/gs/jbig2dec/jbig2_mmr.c +++ b/gs/jbig2dec/jbig2_mmr.c @@ -792,7 +792,7 @@ jbig2_set_bits(byte *line, int x0, int x1) line[a0] |= lm[b0]; for (a = a0 + 1; a < a1; a++) line[a] = 0xFF; - line[a1] |= rm[b1]; + if (b1) line[a1] |= rm[b1]; } } This has been cluster tested and committed as dc77e931b2a6118092bac21b4dd38bc10d41e644 Fixed see Comment #6 |