reading jbig2_decode_symbol_dict() source code: A) note the if condition at line ..: /* 6.5.5 (4c.ii) */ if (!params->SDHUFF || params->SDREFAGG) { .. } We obviously enter the if body also in the case: params->SDHUFF == params->SDREFAGG == TRUE (1) In this case the variable Jbig2ArithState *as is still set to NULL because it is allocated only if params->SDHUFF == FALSE B) in the body of if statement we found a call to routine jbig2_decode_text_region() Because of A) point, in the case (1) above-mentioned it receives a NULL value for the parameter as. C) jbig2_decode_text_region() calls in turn routine jbig2_decode_refinement_region(). In the case (1) also this call is done with a NULL value for the as parameter but jbig2_decode_refinement_region() uses this parameter and we have a NULL-pointer dereference error. Suming up: in the case params->SDHUFF == params->SDREFAGG == TRUE we can have a GPFault in jbig2_decode_symbol_dict(). I don'know if the case (1) is possible in real situations however, if A)-C) points are true, it seems to me a dangerous path of execution.
*** This bug has been marked as a duplicate of bug 690889 ***