Created attachment 9745 [details] log.txt Seg faults in the 64 bit build of mupdf were found by fuzzing in jbig2_huffman_get while reading these file(s). See the attached log.txt for details. mupdf__3324.pdf.asan.50.2585.pgmraw.200.1 mupdf__3324.pdf.asan.50.2585.ppmraw.200.1 mupdf__3324.pdf.asan.50.2585.ppmraw.72.0
This one is still around.
These problems are Bountible to Shelly and Simon (only) under the arrangement we set up previously for jbig2 and jpeg 2000 problems. If you 2 can divide them fairly that's great if not I'll review them and assign them. Let me know.
Marcos: The file 3324.pdf.asan.50.2585 seems to have been missing from the mupdf.zip you've shared with us. Could you please send it to me so that I can start looking into this issue?
This (and a number of others) are I think decoder problems, so reassigning to Henry.
Thanks for the file, Marcos. This file causes a heap overflow due to insufficient checks in jbig2_image_compose. Proposed fix: https://github.com/zeniko/jbig2dec/commit/9c232373bf4ec2df6148b1bdac5b95af2f93cea5
BTW: This might be the same issue as bug 694362.
Created attachment 10059 [details] patch Henry: This patch still needs your stamp of approval before it can land.
If it passes the regression tests please commit.
This patch passed a cluster run (tested with MuPDF).
The patch cannot be applied directly to the ghostscript tree because it was created from the mupdf tree. I believe git am will not work across repositories because it depends on hash numbers. The error is: git am 'file' does not exist in index. I assume that refers to hash in the patch which presumably is an ancestor of the file being modified. We really must do something about the multiple repository nonsense, but in the meantime I'll apply the patch and log manually.
Created attachment 10159 [details] revised.patch Revised patch to make it work with gs.
(In reply to comment #11) > Created attachment 10159 [details] > revised.patch > > Revised patch to make it work with gs. For clarity, I should say that the patch contents are identical. I just tweaked the paths in the patch so it will apply to the gs repo rather than the standalone jbig2dec one.
My comment about the index was incorrect as Robin says in Comment 10 only the pathname in the patch needs correcting. Checked into master: commit f7064096ceac3d6c148096a936e1ea10fd8f0c55 Author: zeniko <zeniko@gmail.com> Date: Fri Jul 5 13:11:58 2013 +0200 Bug 694111: prevent heap overflow jbig2_image_compose fails to ensure that the destination rectangle lies entirely within the destination buffer (in the case of the file 3324.pdf.asan.50.2585, this happens due to a huge value for y). Adding a new check which makes sure that... @ y * dst->stride + leftbyte doesn't overflow @ x and leftbyte don't overflow to the next line @ h * dst->stride doesn't overflow @ all values read are within the destination buffer The file 3324.pdf.asan.50.2585 also demonstrates a memory leak where the glyph isn't properly released if jbig2_image_compose fails.