Bug 696052

Summary: Segfault (null pointer access) when trying to open malformed inputs
Product: jbig2dec Reporter: hanno
Component: ParsingAssignee: Henry Stiles <henry.stiles>
Status: RESOLVED FIXED    
Severity: normal CC: shailesh.mistry
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: crashing input sample
crashing input sample 2
Patch to check for missing image

Description hanno 2015-06-25 02:43:10 UTC 
Created attachment 11757 [details]
crashing input sample

The attached files will cause a null pointer access / segfault in jbig2dec. Both have slightly different stack traces, but look similar.

Address Sanitizer stack traces:
==6967==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x00000051c067 bp 0x000000000001 sp 0x7fff3bb8ff10 T0)
    #0 0x51c066 in jbig2_image_get_pixel /f/jbig2dec/jbig2dec-0.12/jbig2_image.c:328:17
    #1 0x508e4b in jbig2_decode_refinement_template1_unopt /f/jbig2dec/jbig2dec-0.12/jbig2_refinement.c:134:18
    #2 0x508e4b in jbig2_decode_refinement_region /f/jbig2dec/jbig2dec-0.12/jbig2_refinement.c:391
    #3 0x50a993 in jbig2_refinement_region /f/jbig2dec/jbig2dec-0.12/jbig2_refinement.c:558:12
    #4 0x4eba5b in jbig2_parse_segment /f/jbig2dec/jbig2dec-0.12/jbig2_segment.c:280:14
    #5 0x4e81fa in jbig2_data_in /f/jbig2dec/jbig2dec-0.12/jbig2.c:364:11
    #6 0x4dee17 in main /f/jbig2dec/jbig2dec-0.12/jbig2dec.c:454:11
    #7 0x7f8c84569f9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #8 0x437e56 in _start (/mnt/ram/jb2/jbig2dec+0x437e56)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/jbig2dec/jbig2dec-0.12/jbig2_image.c:328 jbig2_image_get_pixel
==6967==ABORTING


==29123==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x00000051c067 bp 0x000000000000 sp 0x7fff5a2e2010 T0)
    #0 0x51c066 in jbig2_image_get_pixel /f/jbig2dec/jbig2dec-0.12/jbig2_image.c:328:17
    #1 0x509290 in jbig2_decode_refinement_template0_unopt /f/jbig2dec/jbig2dec-0.12/jbig2_refinement.c:78:18
    #2 0x509290 in jbig2_decode_refinement_region /f/jbig2dec/jbig2dec-0.12/jbig2_refinement.c:394
    #3 0x50a993 in jbig2_refinement_region /f/jbig2dec/jbig2dec-0.12/jbig2_refinement.c:558:12
    #4 0x4eba5b in jbig2_parse_segment /f/jbig2dec/jbig2dec-0.12/jbig2_segment.c:280:14
    #5 0x4e81fa in jbig2_data_in /f/jbig2dec/jbig2dec-0.12/jbig2.c:364:11
    #6 0x4dee17 in main /f/jbig2dec/jbig2dec-0.12/jbig2dec.c:454:11
    #7 0x7efe8c774f9f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #8 0x437e56 in _start (/mnt/ram/jb2/jbig2dec+0x437e56)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/jbig2dec/jbig2dec-0.12/jbig2_image.c:328 jbig2_image_get_pixel
==29123==ABORTING
Comment 1 hanno 2015-06-25 02:43:36 UTC 
Created attachment 11758 [details]
crashing input sample 2
Comment 2 Shailesh Mistry 2015-09-03 14:48:24 UTC 
Created attachment 11885 [details]
Patch to check for missing image

The attached sample images try to access an image that does not exist. This patch checks that the cloned image exists before proceeding further.