694021 – Seg faults found by fuzzing in jbig2_arith_decode

Bug 694021 - Seg faults found by fuzzing in jbig2_arith_decode

Summary: Seg faults found by fuzzing in jbig2_arith_decode

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Fuzzing (show other bugs)
Version:	master
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Default assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-05-09 03:04 UTC by Marcos H. Woehrmann
Modified:	2013-05-26 07:09 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
log.txt (170.48 KB, text/plain) 2013-05-09 03:04 UTC, Marcos H. Woehrmann	Details
Patch for seg fault related issues (3.59 KB, patch) 2013-05-10 22:31 UTC, Shailesh Mistry	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcos H. Woehrmann 2013-05-09 03:04:27 UTC

Created attachment 9674 [details]
log.txt

Seg faults in the 64 bit build of ghostscript were found by fuzzing in jbig2_arith_decode while reading these file(s). See the attached log.txt for details.

3324.pdf.SIGSEGV.47c.2585.cups.300.1
3324.pdf.SIGSEGV.47c.2585.pam.72.0
3324.pdf.SIGSEGV.47c.2585.pbmraw.300.0
3324.pdf.SIGSEGV.47c.2585.pbmraw.300.1
3324.pdf.SIGSEGV.47c.2585.pbmraw.72.0
3324.pdf.SIGSEGV.47c.2585.pdf.pkmraw.300.0
3324.pdf.SIGSEGV.47c.2585.pdf.ppmraw.300.0
3324.pdf.SIGSEGV.47c.2585.pdf.ppmraw.72.0
3324.pdf.SIGSEGV.47c.2585.pgmraw.300.0
3324.pdf.SIGSEGV.47c.2585.pgmraw.300.1
3324.pdf.SIGSEGV.47c.2585.pgmraw.72.0
3324.pdf.SIGSEGV.47c.2585.pkmraw.300.0
3324.pdf.SIGSEGV.47c.2585.pkmraw.300.1
3324.pdf.SIGSEGV.47c.2585.pkmraw.72.0
3324.pdf.SIGSEGV.47c.2585.ppmraw.300.0
3324.pdf.SIGSEGV.47c.2585.ppmraw.300.1
3324.pdf.SIGSEGV.47c.2585.ppmraw.72.0
3324.pdf.SIGSEGV.47c.2585.ps.pkmraw.300.0
3324.pdf.SIGSEGV.47c.2585.ps.ppmraw.300.0
3324.pdf.SIGSEGV.47c.2585.ps.ppmraw.72.0
3324.pdf.SIGSEGV.47c.2585.psdcmyk.300.1
3324.pdf.SIGSEGV.47c.2585.psdcmyk.72.0

Comment 1 Shailesh Mistry 2013-05-10 22:31:23 UTC

Created attachment 9718 [details]
Patch for seg fault related issues

The seg fault is due to the the image decoder trying to use an uninitialized GR_stats. This also uncovered a few other errors that are covered here :-

1)GR_stats is now initialised in all places to prevent it reaching jbig2_arith_decode with fake values

2) jbig2_arith_decode has been updated to prevent access outside of the jbig2_arith_Qe array which now returns an error in such cases.

3) all uses of jbig2_decode_refinement_region now check for a returning error and act accordingly.

Comment 2 Alex Cherepanov 2013-05-26 07:09:08 UTC

Thank you for contributing to Ghostscript. Your patch looks reasonable
and shows no problems in our regression testing.

The patch has been adopted and committed as a rev. 
9567219b7bd46b1d8a7cfc318788e7dc24bebc21