Bug 694247

Summary: Valgrind issues found by fuzzing in image_render_color_DeviceN (gxicolor.c:1112)
Product: Ghostscript Reporter: Marcos H. Woehrmann <marcos.woehrmann>
Component: JPX/JBIG2 encode/decodeAssignee: Sebastian Rasmussen <sebastian.rasmussen>
Status: RESOLVED FIXED    
Severity: normal CC: henry.stiles
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: 64
Attachments: log.txt

Description Marcos H. Woehrmann 2013-05-27 22:07:28 UTC 
Created attachment 9881 [details]
log.txt

Valgrind issues in the 64 bit build of ghostscript were found by fuzzing in image_render_color_DeviceN (gxicolor.c:1112) while reading these files. See the attached log.txt for details.

1220.pdf.asan.21.248.cups.300.1
1220.pdf.asan.21.248.psdcmyk.72.0
Comment 1 Michael Vrhel 2019-01-23 18:30:13 UTC 
With current head, the valgrind issues for this are related to openjpeg.  See below.  

Page 4
Warning: printer device has private dev_spec_op
openjpeg info: Start to read j2k main header (129).
openjpeg info: Main header has been correctly decoded.
==22517== Conditional jump or move depends on uninitialised value(s)
==22517==    at 0x63FE69: opj_j2k_need_nb_tile_parts_correction (j2k.c:8537)
==22517==    by 0x640756: opj_j2k_read_tile_header (j2k.c:8790)
==22517==    by 0x64540C: opj_j2k_decode_tiles (j2k.c:10667)
==22517==    by 0x63EE97: opj_j2k_exec (j2k.c:8096)
==22517==    by 0x6461C3: opj_j2k_decode (j2k.c:11017)
==22517==    by 0x64B392: opj_jp2_decode (jp2.c:1604)
==22517==    by 0x651A19: opj_decode (openjpeg.c:483)
==22517==    by 0x623A4B: decode_image (sjpx_openjpeg.c:410)
==22517==    by 0x624D02: s_opjd_process (sjpx_openjpeg.c:737)
==22517==    by 0x6C8A97: sreadbuf (stream.c:823)
==22517==    by 0x6C884B: s_process_read_buf (stream.c:749)
==22517==    by 0xB4504B: image_file_continue (zimage.c:523)
==22517==  Uninitialised value was created by a client request
==22517==    at 0x91D248: gs_heap_resize_object (gsmalloc.c:299)
==22517==    by 0x62510A: s_opjd_accumulate_input (sjpx_openjpeg.c:834)
==22517==    by 0x624BC6: s_opjd_process (sjpx_openjpeg.c:700)
==22517==    by 0x6C8A97: sreadbuf (stream.c:823)
==22517==    by 0x6C884B: s_process_read_buf (stream.c:749)
==22517==    by 0xB4504B: image_file_continue (zimage.c:523)
==22517==    by 0xAF3522: do_call_operator (interp.c:86)
==22517==    by 0xAF64A8: interp (interp.c:1292)
==22517==    by 0xAF3E71: gs_call_interp (interp.c:520)
==22517==    by 0xAF3C10: gs_interpret (interp.c:477)
==22517==    by 0xAE39BB: gs_main_interpret (imain.c:253)
==22517==    by 0xAE4D2B: gs_main_run_string_end (imain.c:768)

openjpeg info: Header of tile 1 / 1 has been read.
==22517== Conditional jump or move depends on uninitialised value(s)
==22517==    at 0x640F53: opj_j2k_decode_tile (j2k.c:8983)
==22517==    by 0x645445: opj_j2k_decode_tiles (j2k.c:10679)
==22517==    by 0x63EE97: opj_j2k_exec (j2k.c:8096)
==22517==    by 0x6461C3: opj_j2k_decode (j2k.c:11017)
==22517==    by 0x64B392: opj_jp2_decode (jp2.c:1604)
==22517==    by 0x651A19: opj_decode (openjpeg.c:483)
==22517==    by 0x623A4B: decode_image (sjpx_openjpeg.c:410)
==22517==    by 0x624D02: s_opjd_process (sjpx_openjpeg.c:737)
==22517==    by 0x6C8A97: sreadbuf (stream.c:823)
==22517==    by 0x6C884B: s_process_read_buf (stream.c:749)
==22517==    by 0xB4504B: image_file_continue (zimage.c:523)
==22517==    by 0xAF3522: do_call_operator (interp.c:86)
==22517==  Uninitialised value was created by a client request
==22517==    at 0x91D248: gs_heap_resize_object (gsmalloc.c:299)
==22517==    by 0x62510A: s_opjd_accumulate_input (sjpx_openjpeg.c:834)
==22517==    by 0x624BC6: s_opjd_process (sjpx_openjpeg.c:700)
==22517==    by 0x6C8A97: sreadbuf (stream.c:823)
==22517==    by 0x6C884B: s_process_read_buf (stream.c:749)
==22517==    by 0xB4504B: image_file_continue (zimage.c:523)
==22517==    by 0xAF3522: do_call_operator (interp.c:86)
==22517==    by 0xAF64A8: interp (interp.c:1292)
==22517==    by 0xAF3E71: gs_call_interp (interp.c:520)
==22517==    by 0xAF3C10: gs_interpret (interp.c:477)
==22517==    by 0xAE39BB: gs_main_interpret (imain.c:253)
==22517==    by 0xAE4D2B: gs_main_run_string_end (imain.c:768)
Comment 2 Sebastian Rasmussen 2019-01-24 03:09:03 UTC 
I have a tentative fix for this issue. At the moment this is in a local git format-patch named *Bug-694247*.patch in my home directory.
Comment 3 Sebastian Rasmussen 2019-02-09 01:01:12 UTC 
Fixed in 

commit a0421f035fd418d27fd2df80b896d97d3d6e87ea
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Thu Jan 24 03:55:57 2019 +0100

    Bug 694247: Do not confuse openjpeg input buffer usage with size.
    
    Previously s_opjd_accumulate_input() populated the openjpeg input data
    buffer and adjusted the buffer size and usage fields accordingly. The
    openjpeg callbacks for reading, skipping and seeking confused these two
    fields and used the buffer size instead of the buffer usage. This meant
    that there was a risk of reading uninitialized data.