| Summary: | possible NULL-pointer dereference in jbig2_decode_symbol_dict() | ||
|---|---|---|---|
| Product: | jbig2dec | Reporter: | gorac <drugo.pedrouvene> |
| Component: | Rendering | Assignee: | Henry Stiles <henry.stiles> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | normal | CC: | masaki.ushizaka |
| Priority: | P4 | ||
| Version: | unspecified | ||
| Hardware: | PC | ||
| OS: | Windows XP | ||
| Customer: | Word Size: | --- | |
*** This bug has been marked as a duplicate of bug 690889 *** |
reading jbig2_decode_symbol_dict() source code: A) note the if condition at line ..: /* 6.5.5 (4c.ii) */ if (!params->SDHUFF || params->SDREFAGG) { .. } We obviously enter the if body also in the case: params->SDHUFF == params->SDREFAGG == TRUE (1) In this case the variable Jbig2ArithState *as is still set to NULL because it is allocated only if params->SDHUFF == FALSE B) in the body of if statement we found a call to routine jbig2_decode_text_region() Because of A) point, in the case (1) above-mentioned it receives a NULL value for the parameter as. C) jbig2_decode_text_region() calls in turn routine jbig2_decode_refinement_region(). In the case (1) also this call is done with a NULL value for the as parameter but jbig2_decode_refinement_region() uses this parameter and we have a NULL-pointer dereference error. Suming up: in the case params->SDHUFF == params->SDREFAGG == TRUE we can have a GPFault in jbig2_decode_symbol_dict(). I don'know if the case (1) is possible in real situations however, if A)-C) points are true, it seems to me a dangerous path of execution.