Bug 692743

Summary: null-pointer dereference
Product: jbig2dec Reporter: 01f82a2cc008
Component: RenderingAssignee: Henry Stiles <henry.stiles>
Status: RESOLVED FIXED    
Severity: normal CC: robin.watts
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
URL: http://ghostscript.com/pipermail/jbig2-dev/2011-December/000127.html
Customer: Word Size: ---
Attachments: data that causes jbig2dec to null-pointer dereference

Description 01f82a2cc008 2011-12-14 17:45:44 UTC 
Created attachment 8223 [details]
data that causes jbig2dec to null-pointer dereference

NULL-pointer dereference at jbig2_image_clone in
jbig2_image.c:61 with current git version (c29b63557cb191f from )

It occurs if jbig2dec is called with <global_stream> <page_stream> and
no page segment with image description is inside <page_stream> (for example if global and page streams are exchanged). 
Function jbig2_page_out tries to jbig2_image_clone with a null-pointer.

GNU gdb (Gentoo 7.2 p1) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>...
Reading symbols from /home/user/sem12/ma/pdf/jbig2/jbig2dec_git/jbig2dec/.libs/jbig2dec...done.
(gdb) r -o output.pbm page_seg global_seg 
Starting program: /home/user/sem12/ma/pdf/jbig2/jbig2dec_git/jbig2dec/.libs/jbig2dec -o output.pbm page_seg global_seg

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bd79d9 in jbig2_image_clone (ctx=0x607d60, image=0x0) at jbig2_image.c:63
63              image->refcount++;
(gdb) bt
#0  0x00007ffff7bd79d9 in jbig2_image_clone (ctx=0x607d60, image=0x0) at jbig2_image.c:63
#1  0x00007ffff7bcda07 in jbig2_page_out (ctx=0x607d60) at jbig2_page.c:297
#2  0x0000000000401dc1 in main (argc=5, argv=0x7fffffffd938) at jbig2dec.c:497

the used streams (page_seg and global_seg) are attached. 

This patch should fix the issue:

diff --git a/jbig2_image.c b/jbig2_image.c
index 7037d71..45db3b3 100644
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -60,7 +60,9 @@ Jbig2Image* jbig2_image_new(Jbig2Ctx *ctx, int width, int height)
 /* clone an image pointer by bumping its reference count */
 Jbig2Image* jbig2_image_clone(Jbig2Ctx *ctx, Jbig2Image *image)
 {
-	image->refcount++;
+	if (image != NULL)
+		image->refcount++;
+
 	return image;
 }
Comment 1 Robin Watts 2012-01-25 10:29:13 UTC 
Fixed in:


commit fb56842749e5430ed18d938eb78d1cf24c3e9759
Author: Robin Watts <robin.watts@artifex.com>
Date:   Tue Jan 24 13:20:11 2012 +0000

    Tweak jbig2dec to cope better with NULLs.

    Fix various destructors in jbig2dec to cope with being called
    with image = NULL. This cures a problem in mupdf where it SEGVs
    when called on "1239 - skip invalid content streams.pdf" from the
    sumatra test set.

Thanks.