Bug 690895 - possible NULL-pointer dereference in jbig2_decode_symbol_dict()
Summary: possible NULL-pointer dereference in jbig2_decode_symbol_dict()
Status: RESOLVED DUPLICATE of bug 690889
Alias: None
Product: jbig2dec
Classification: Unclassified
Component: Rendering (show other bugs)
Version: unspecified
Hardware: PC Windows XP
: P4 normal
Assignee: Henry Stiles
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-06 18:13 UTC by gorac
Modified: 2011-05-11 22:30 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description gorac 2009-11-06 18:13:34 UTC 
reading jbig2_decode_symbol_dict() source code:

A) note the if condition at line ..: 
      /* 6.5.5 (4c.ii) */
      if (!params->SDHUFF || params->SDREFAGG)
      {
         ..
      }
   We obviously enter the if body also in the case: 
      params->SDHUFF == params->SDREFAGG == TRUE          (1)

   In this case the variable Jbig2ArithState *as is still set to NULL because
   it is allocated only if params->SDHUFF == FALSE

B) in the body of if statement we found a call to routine       
   jbig2_decode_text_region() 
   Because of A) point, in the case (1) above-mentioned it receives a NULL 
   value for the parameter as.

C) jbig2_decode_text_region() calls in turn routine        
   jbig2_decode_refinement_region(). 
   In the case (1) also this call is done with a NULL value for the as
   parameter but jbig2_decode_refinement_region() uses this parameter and we 
   have a NULL-pointer dereference error.

Suming up: in the case params->SDHUFF == params->SDREFAGG == TRUE we can have a
GPFault in jbig2_decode_symbol_dict().

I don'know if the case (1) is possible in real situations however, if A)-C)
points are true, it seems to me a dangerous path of execution.
Comment 1 Henry Stiles 2011-05-11 22:30:37 UTC 

*** This bug has been marked as a duplicate of bug 690889 ***