Bug 691254 - jbig2dec doesn't handle 042_14
Summary: jbig2dec doesn't handle 042_14
Status: RESOLVED FIXED
Alias: None
Product: jbig2dec
Classification: Unclassified
Component: Parsing (show other bugs)
Version: master
Hardware: All All
: P2 major
Assignee: Henry Stiles
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-21 09:32 UTC by Masaki Ushizaka
Modified: 2012-02-08 16:49 UTC (History)
2 users (show)

See Also:
Customer:
Word Size: ---

Attachments
Patch to prevent seg fault (9.37 KB, patch)
2012-01-20 21:26 UTC, Shailesh Mistry 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Masaki Ushizaka 2010-04-21 09:32:00 UTC 
big2dec doesn't handle the ubc testsuite file 042_14.jb2 (Symbol Region, Ref-Agg Huffman).
Current code segfaults with this file.  Ralph said it resulted wrong image when it didn't segfault.

$ export DYLD_LIBRARY_PATH="..../jbig2dec/.libs"
$ gdb .libs/jbig2dec 
...
(gdb) run ../ubc/042_14.jb2
...

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000090
jbig2_arith_decode (as=0x0, pcx=0x90 <Address 0x90 out of bounds>) at jbig2_arith.c:282
282	  Jbig2ArithCx cx = *pcx;
(gdb) bt
#0  jbig2_arith_decode (as=0x0, pcx=0x90 <Address 0x90 out of bounds>) at jbig2_arith.c:282
#1  0x00020e65 in jbig2_decode_refinement_template0_unopt [inlined] () at jbig2_refinement.c:86
#2  0x00020e65 in jbig2_decode_refinement_region (ctx=0x100150, segment=0x100330, params=0xbfffe57c, as=0x0, image=0x100530, GR_stats=0x0) at jbig2_refinement.c:277
#3  0x0001bc6d in jbig2_symbol_dictionary (ctx=0x100150, segment=0x100330, segment_data=0xaa000 "") at jbig2_symbol_dict.c:530
#4  0x000181f4 in jbig2_data_in (ctx=0x100150, data=0x90 <Address 0x90 out of bounds>, size=4096) at jbig2.c:316
#5  0x00002249 in main (argc=2, argv=0xbffff7a8) at jbig2dec.c:448
(gdb) 

This symptom was already there in jbig2dec 0.11.
Comment 1 Masaki Ushizaka 2010-04-22 09:30:08 UTC 
Segmentation fault started from following git commit.

> commit df910b6ffff7ae54db6c2d2430709ebb911eda49
> Author: ray <ray@ded80894-8fb9-0310-811b-c03f3676ab4d>
> Date:   Tue Aug 16 20:20:08 2005 +0000
> 
>     Fix for shift right 32 bits of unsigned int being treated as shift right 0.
>     
>     
>     git-svn-id: http://svn.ghostscript.com/jbig2dec/trunk@425 ded80894-8fb9-0310-811b-c03f3676ab4d

For ghostscript subversion repository, this started since r6227.
jbig2dec version 0.9, 0.10, 0.11 all has this problem.
Comment 2 Shailesh Mistry 2012-01-20 21:26:30 UTC 
Created attachment 8299 [details]
Patch to prevent seg fault

This patch prevents the seg fault but does not fully implement the missing Ref-Agg Huffman functionality.
Comment 3 Robin Watts 2012-01-24 19:17:17 UTC 
I can confirm that this stops both Ghostscript and MuPDF SEGVing on the file in question. A cluster test of Ghostscript shows no ill effects.
Comment 4 Henry Stiles 2012-01-25 01:08:00 UTC 
(In reply to comment #2)
> Created an attachment (id=8299) [details]
> Patch to prevent seg fault
> 
> This patch prevents the seg fault but does not fully implement the missing
> Ref-Agg Huffman functionality.

Please commit.
Comment 5 Shailesh Mistry 2012-02-05 14:44:45 UTC 
The patch was committed as 845ac2669008d3c8daf6461c0fda3b0496d7443e. The test file Jbig2_042_14.pdf has been tried in Adobe PDF reader and with the Luratech code but both fail to render it. It is possible that the test file is actually corrupt.
Comment 6 Henry Stiles 2012-02-08 16:49:06 UTC 
Good enough.