Bug 697683

Summary: jbig2dec-0.13 Integer Overflow in function jbig2_image_compose
Product: jbig2dec Reporter: icepng <dg.icepng>
Component: ParsingAssignee: Shailesh Mistry <shailesh.mistry>
Status: NOTIFIED FIXED    
Severity: normal CC: deekej, dg.icepng, henry.stiles, hertzog, joseph.heenan, landgraf
Priority: P1    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: 128 Word Size: ---
Attachments: PoC_analysis
jbig2dec

Comment 1 Ken Sharp 2017-03-24 06:28:11 UTC 
Kindly don't go around adding people to the CC list without asking.
Comment 2 icepng 2017-03-24 06:38:44 UTC 
(In reply to Ken Sharp from comment #1)
> Kindly don't go around adding people to the CC list without asking.

I'm Sorry for that.
Comment 4 Shailesh Mistry 2017-03-27 09:52:55 UTC 
Testing this with the head code exits fine giving the following messages :-

[w] jbig2dec DEBUG segment 6 is associated with page 1 (segment 0x06)
[w] jbig2dec info Segment 6, flags=17, type=23, data_length=87 (segment 0x06)
[w] jbig2dec info halftone region: 32 x 36 @ (10,15) flags=01 (segment 0x06)
[w] jbig2dec info  grid 8 x -1 @ (0.0,0.0) vector (4.0,0.0) (segment 0x06)
jbig2dec FATAL ERROR decoding image: integer multiplication overflow from stride(1)*height(-1)
jbig2dec FATAL ERROR decoding image: failed to allocate 8x-1 image for GSPLANES (segment 0x06)
[w] jbig2dec WARNING unable to acquire gray-scale image, skipping halftone image (segment 0x06)

   **** Error: File has insufficient data for an image.
               Output may be incorrect.


Both jbig2dec and ghostscript exit gracefully without crashing.
Comment 5 icepng 2017-03-27 21:55:10 UTC 
(In reply to Shailesh Mistry from comment #4)
> Testing this with the head code exits fine giving the following messages :-
> 
> [w] jbig2dec DEBUG segment 6 is associated with page 1 (segment 0x06)
> [w] jbig2dec info Segment 6, flags=17, type=23, data_length=87 (segment 0x06)
> [w] jbig2dec info halftone region: 32 x 36 @ (10,15) flags=01 (segment 0x06)
> [w] jbig2dec info  grid 8 x -1 @ (0.0,0.0) vector (4.0,0.0) (segment 0x06)
> jbig2dec FATAL ERROR decoding image: integer multiplication overflow from
> stride(1)*height(-1)
> jbig2dec FATAL ERROR decoding image: failed to allocate 8x-1 image for
> GSPLANES (segment 0x06)
> [w] jbig2dec WARNING unable to acquire gray-scale image, skipping halftone
> image (segment 0x06)
> 
>    **** Error: File has insufficient data for an image.
>                Output may be incorrect.
> 
> 
> Both jbig2dec and ghostscript exit gracefully without crashing.

hello,
   I used the version before Ken Sharp patched in Fri, 24 Mar 2017 19:47:33 +0800.

and attachment is the program I use.
Comment 6 icepng 2017-03-27 21:56:17 UTC 
Created attachment 13496 [details]
jbig2dec
Comment 7 Henry Stiles 2017-04-22 06:40:58 UTC 
P1 priority for customer security problem.