Bug 694021

Summary: Seg faults found by fuzzing in jbig2_arith_decode
Product: Ghostscript Reporter: Marcos H. Woehrmann <marcos.woehrmann>
Component: FuzzingAssignee: Default assignee <ghostpdl-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: alex
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: log.txt
Patch for seg fault related issues

Description Marcos H. Woehrmann 2013-05-09 03:04:27 UTC 
Created attachment 9674 [details]
log.txt

Seg faults in the 64 bit build of ghostscript were found by fuzzing in jbig2_arith_decode while reading these file(s). See the attached log.txt for details.

3324.pdf.SIGSEGV.47c.2585.cups.300.1
3324.pdf.SIGSEGV.47c.2585.pam.72.0
3324.pdf.SIGSEGV.47c.2585.pbmraw.300.0
3324.pdf.SIGSEGV.47c.2585.pbmraw.300.1
3324.pdf.SIGSEGV.47c.2585.pbmraw.72.0
3324.pdf.SIGSEGV.47c.2585.pdf.pkmraw.300.0
3324.pdf.SIGSEGV.47c.2585.pdf.ppmraw.300.0
3324.pdf.SIGSEGV.47c.2585.pdf.ppmraw.72.0
3324.pdf.SIGSEGV.47c.2585.pgmraw.300.0
3324.pdf.SIGSEGV.47c.2585.pgmraw.300.1
3324.pdf.SIGSEGV.47c.2585.pgmraw.72.0
3324.pdf.SIGSEGV.47c.2585.pkmraw.300.0
3324.pdf.SIGSEGV.47c.2585.pkmraw.300.1
3324.pdf.SIGSEGV.47c.2585.pkmraw.72.0
3324.pdf.SIGSEGV.47c.2585.ppmraw.300.0
3324.pdf.SIGSEGV.47c.2585.ppmraw.300.1
3324.pdf.SIGSEGV.47c.2585.ppmraw.72.0
3324.pdf.SIGSEGV.47c.2585.ps.pkmraw.300.0
3324.pdf.SIGSEGV.47c.2585.ps.ppmraw.300.0
3324.pdf.SIGSEGV.47c.2585.ps.ppmraw.72.0
3324.pdf.SIGSEGV.47c.2585.psdcmyk.300.1
3324.pdf.SIGSEGV.47c.2585.psdcmyk.72.0
Comment 1 Shailesh Mistry 2013-05-10 22:31:23 UTC 
Created attachment 9718 [details]
Patch for seg fault related issues

The seg fault is due to the the image decoder trying to use an uninitialized GR_stats. This also uncovered a few other errors that are covered here :-

1)GR_stats is now initialised in all places to prevent it reaching jbig2_arith_decode with fake values

2) jbig2_arith_decode has been updated to prevent access outside of the jbig2_arith_Qe array which now returns an error in such cases.

3) all uses of jbig2_decode_refinement_region now check for a returning error and act accordingly.
Comment 2 Alex Cherepanov 2013-05-26 07:09:08 UTC 
Thank you for contributing to Ghostscript. Your patch looks reasonable
and shows no problems in our regression testing.

The patch has been adopted and committed as a rev. 
9567219b7bd46b1d8a7cfc318788e7dc24bebc21