Bug 697395

Summary: Artifex MuPDf JBIG2 Parser Code Execution Vulnerability
Product: MuPDF Reporter: regiwils
Component: mupdfAssignee: Robin Watts <robin.watts>
Status: RESOLVED FIXED    
Severity: normal CC: henry.stiles, michael.vrhel, regiwils, sebastian.rasmussen
Priority: P2    
Version: unspecified   
Hardware: PC   
OS: All   
Customer: Word Size: ---

Comment 7 Robin Watts 2017-02-28 09:19:33 UTC 
Proposed fix:

http://git.ghostscript.com/?p=user/robin/mupdf.git;a=commitdiff;h=29f0e3a6ea0cb02ae0c20a2d0f19561804af01ec

Doesn't appear to be a JBIG2 issue at all, rather a scaling issue.

Will retry with the 1.9 source in case it appears differently.
Comment 8 Robin Watts 2017-03-01 06:03:54 UTC 
file_1.pdf problem fixed with:

commit 0c86abf954ca4a5f00c26f6600acac93f9fc3538
Author: Robin Watts <robin.watts@artifex.com>
Date:   Tue Feb 28 17:15:40 2017 +0000

    Bug 697395: Fix underflow in special case scaler.

    When scaling a single row pixmap with a flip, I was getting
    the offset to the far end of the line wrong due to forgetting
    to allow for the alpha plane.

    Fixed here.

file_2.pdf problem does not reproduce, hence closing.

Thanks for the report. Please reopen with new information if it still misbehaves for you.
Comment 9 Sebastian Rasmussen 2024-09-13 16:12:09 UTC 
(In reply to Robin Watts from comment #8)
> file_2.pdf problem does not reproduce, hence closing.

I can successfully reproduce the issue with modern valgrind, and bisecting reveals that jbig2dec fixed this in

commit e698d5c11d27212aa1098bc5b1673a3378563092 (HEAD)
Author: Robin Watts <robin.watts@artifex.com>
Date:   Mon Dec 12 17:47:17 2016 +0000

    Squash signed/unsigned warnings in MSVC jbig2 build.

    Also rename "new" to "new_dict", because "new" is a bad
    variable name.

Which was later included in

commit 1a7ef61410884daff8ff8391ddcecc3102acd989
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Tue Dec 27 15:07:32 2016 +0100

    Update jbig2dec.