690596 – memleak with jbig2 images

Bug 690596 - memleak with jbig2 images

Summary: memleak with jbig2 images

Status:	RESOLVED FIXED

Alias:	None

Product:	jbig2dec
Classification:	Unclassified
Component:	Parsing (show other bugs)
Version:	master
Hardware:	All All

Importance:	P4 normal
Assignee:	Henry Stiles

URL:
Keywords:

Duplicates (1):	690607 (view as bug list)
Depends on:
Blocks:

Reported:	2009-07-03 01:07 UTC by Krzysztof Kowalczyk
Modified:	2012-02-08 16:45 UTC (History)
CC List:	0 users

See Also:
Customer:
Word Size:	---

Attachments
jbig-decode-error.pdf (30.87 KB, application/pdf) 2009-07-03 01:08 UTC, Krzysztof Kowalczyk	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Krzysztof Kowalczyk 2009-07-03 01:07:55 UTC

This is compiled with openjpeg

kjkmacpro:mupdf kkowalczyk$ valgrind --leak-check=full obj-rel/pdfdraw
~/Downloads/jbig-decode-error.pdf 
==28760== Memcheck, a memory error detector.
==28760== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==28760== Using LibVEX rev 1899, a library for dynamic binary translation.
==28760== Copyright (C) 2004-2009, and GNU GPL'd, by OpenWorks LLP.
==28760== Using valgrind-3.5.0.SVN, a dynamic binary instrumentation framework.
==28760== Copyright (C) 2000-2009, and GNU GPL'd, by Julian Seward et al.
==28760== For more details, rerun with: -v
==28760== 
Drawing pages 1-2...
draw jbig-decode-error.pdf:001 f50b3ad85c5da48b9803bb4f52da5ffc
draw jbig-decode-error.pdf:002 526c49df68db34b341b4b04785cae9f9
==28760== 
==28760== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==28760== malloc/free: in use at exit: 348,538 bytes in 1,181 blocks.
==28760== malloc/free: 1,770 allocs, 589 frees, 77,335,956 bytes allocated.
==28760== For counts of detected errors, rerun with: -v
==28760== searching for pointers to 1,181 not-freed blocks.
==28760== checked 769,600 bytes.
==28760== 
==28760== 24 bytes in 2 blocks are definitely lost in loss record 2 of 16
==28760==    at 0x53A516: malloc (vg_replace_malloc.c:193)
==28760==    by 0xA287E: jbig2_word_stream_buf_new (jbig2.c:60)
==28760==    by 0xA8A21: jbig2_parse_text_region (jbig2_text.c:680)
==28760==    by 0xA2C65: jbig2_data_in (jbig2.c:314)
==28760==    by 0x2BDF0: fz_processjbig2d (filt_jbig2d.c:116)
==28760==    by 0x28D30: fz_process (stm_filter.c:19)
==28760==    by 0x1FA1B: fz_processpipeline (filt_pipeline.c:115)
==28760==    by 0x28D30: fz_process (stm_filter.c:19)
==28760==    by 0x29801: fz_readimp (stm_read.c:62)
==28760==    by 0x28E8A: fz_readall (stm_misc.c:68)
==28760==    by 0x5CE29: pdf_loadstream (pdf_stream.c:471)
==28760==    by 0x4608E: pdf_loadimage (pdf_image.c:392)
==28760== 
==28760== 
==28760== 160 bytes in 8 blocks are definitely lost in loss record 7 of 16
==28760==    at 0x53A516: malloc (vg_replace_malloc.c:193)
==28760==    by 0x106CF: fz_malloc (base_memory.c:5)
==28760==    by 0x128F8: fz_newovernode (node_misc2.c:13)
==28760==    by 0x2E89F: pdf_addtransform (pdf_build.c:51)
==28760==    by 0x488F8: pdf_runcsi (pdf_interpret.c:473)
==28760==    by 0x4ED8F: runone (pdf_page.c:16)
==28760==    by 0x4F63F: pdf_loadpage (pdf_page.c:119)
==28760==    by 0x601F5: drawloadpage (pdfdraw.c:169)
==28760==    by 0x603D7: drawpnm (pdfdraw.c:231)
==28760==    by 0x61142: drawpages (pdfdraw.c:415)
==28760==    by 0x61666: main (pdfdraw.c:494)
==28760== 
==28760== 
==28760== 124,811 bytes in 4 blocks are possibly lost in loss record 14 of 16
==28760==    at 0x53A516: malloc (vg_replace_malloc.c:193)
==28760==    by 0xAD543: jbig2_image_new (jbig2_image.c:44)
==28760==    by 0xA60D0: jbig2_symbol_dictionary (jbig2_symbol_dict.c:369)
==28760==    by 0xA2C65: jbig2_data_in (jbig2.c:314)
==28760==    by 0x2BD62: fz_setjbig2dglobalstream (filt_jbig2d.c:65)
==28760==    by 0x5C6D7: buildonefilter (pdf_stream.c:129)
==28760==    by 0x5CC4D: pdf_openstream (pdf_stream.c:311)
==28760==    by 0x5CDC4: pdf_loadstream (pdf_stream.c:467)
==28760==    by 0x4608E: pdf_loadimage (pdf_image.c:392)
==28760==    by 0x5312F: preloadxobject (pdf_resources.c:146)
==28760==    by 0x539C5: pdf_loadresources (pdf_resources.c:391)
==28760==    by 0x4F2A6: pdf_loadpage (pdf_page.c:216)
==28760== 
==28760== 
==28760== 219,003 (152 direct, 218,851 indirect) bytes in 2 blocks are
definitely lost in loss record 16 of 16
==28760==    at 0x53A516: malloc (vg_replace_malloc.c:193)
==28760==    by 0xA277B: jbig2_ctx_new (jbig2.c:60)
==28760==    by 0x2BCC4: fz_newjbig2d (filt_jbig2d.c:48)
==28760==    by 0x5C4B7: buildonefilter (pdf_stream.c:121)
==28760==    by 0x5CC4D: pdf_openstream (pdf_stream.c:311)
==28760==    by 0x5CDC4: pdf_loadstream (pdf_stream.c:467)
==28760==    by 0x4608E: pdf_loadimage (pdf_image.c:392)
==28760==    by 0x5312F: preloadxobject (pdf_resources.c:146)
==28760==    by 0x539C5: pdf_loadresources (pdf_resources.c:391)
==28760==    by 0x4F2A6: pdf_loadpage (pdf_page.c:216)
==28760==    by 0x601F5: drawloadpage (pdfdraw.c:169)
==28760==    by 0x603D7: drawpnm (pdfdraw.c:231)
==28760== 
==28760== LEAK SUMMARY:
==28760==    definitely lost: 336 bytes in 12 blocks.
==28760==    indirectly lost: 218,851 bytes in 1,154 blocks.
==28760==      possibly lost: 124,811 bytes in 4 blocks.
==28760==    still reachable: 4,540 bytes in 11 blocks.
==28760==         suppressed: 0 bytes in 0 blocks.
==28760== Reachable blocks (those to which a pointer was found) are not shown.
==28760== To see them, rerun with: --leak-check=full --show-reachable=yes

Comment 1 Krzysztof Kowalczyk 2009-07-03 01:08:30 UTC

Created attachment 5180 [details]
jbig-decode-error.pdf

PDF that shows the memleak

Comment 2 Tor Andersson 2010-05-21 01:34:46 UTC

The main leaks seem to have been fixed, the only one
that remains is a 24 byte struct. The following patch
makes sure that the word stream is freed. I haven't
tested it exclusively, but it plugs the leak in the
example file.

diff --git a/jbig2_text.c b/jbig2_text.c
index d910d81..9b13692 100644
--- a/jbig2_text.c
+++ b/jbig2_text.c
@@ -711,7 +711,6 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
        }
 
        as = jbig2_arith_new(ctx, ws);
-       ws = 0;
 
         params.IADT = jbig2_arith_int_ctx_new(ctx);
         params.IAFS = jbig2_arith_int_ctx_new(ctx);
@@ -730,7 +729,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
     code = jbig2_decode_text_region(ctx, segment, &params,
                 (const Jbig2SymbolDict * const *)dicts, n_dicts, image,
                 segment_data + offset, segment->data_length - offset,
-               GR_stats, as, ws);
+               GR_stats, as, as ? NULL : ws);
 
     if (!params.SBHUFF && params.SBREFINE) {
        jbig2_free(ctx->allocator, GR_stats);
@@ -745,6 +744,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
       jbig2_release_huffman_table(ctx, params.SBHUFFRDW);
       jbig2_release_huffman_table(ctx, params.SBHUFFRDH);
       jbig2_release_huffman_table(ctx, params.SBHUFFRSIZE);
+      jbig2_word_stream_buf_free(ctx, ws);
     }
     else {
        jbig2_arith_int_ctx_free(ctx, params.IADT);

Comment 3 Henry Stiles 2011-11-29 04:26:02 UTC

*** Bug 690607 has been marked as a duplicate of this bug. ***

Comment 4 Henry Stiles 2012-02-08 16:45:50 UTC

Seems to have been fixed with Tor's patch in Comment 2.