Bug 697934

Summary:	Jbig2dec latest version, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file.
Product:	jbig2dec	Reporter:	Young_X <yangx92>
Component:	Parsing	Assignee:	Henry Stiles <henry.stiles>
Status:	RESOLVED FIXED
Severity:	normal	CC:	carnil, shailesh.mistry
Priority:	P1
Version:	master
Hardware:	PC
OS:	Linux
Customer:		Word Size:	---
Attachments:	analysis

Description Young_X 2017-05-23 18:55:02 UTC

Created attachment 13710 [details]
crash file

#Description
Jbig2dec latest version, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file.


#Error info
Starting program: /home/mayfeel/fuzz/jbig2dec/jbig2dec ../crash/crash0000
jbig2dec FATAL ERROR missing glyph 0/0! (segment 0x01)

Program received signal SIGSEGV, Segmentation fault.
jbig2_huffman_get (hs=hs@entry=0x651370, table=0x0, oob=oob@entry=0x7fffffffc970) at jbig2_huffman.c:274
274	        int log_table_size = table->log_table_size;
(gdb) p table
$1 = (const Jbig2HuffmanTable *) 0x0
(gdb) bt
#0  jbig2_huffman_get (hs=hs@entry=0x651370, table=0x0, oob=oob@entry=0x7fffffffc970) at jbig2_huffman.c:274
#1  0x0000000000408092 in jbig2_decode_text_region (ctx=ctx@entry=0x619240, segment=segment@entry=0x626da0, params=params@entry=0x627120, dicts=dicts@entry=0x626fd0, n_dicts=n_dicts@entry=1, 
    image=image@entry=0x651320, data=0x61a474 "\336\177\001", size=34, GR_stats=0x64f2c0 "", as=0x626e00, ws=0x626de0) at jbig2_text.c:340
#2  0x0000000000405e87 in jbig2_decode_symbol_dict (GR_stats=<optimized out>, GB_stats=<optimized out>, size=<optimized out>, data=<optimized out>, params=0x7fffffffcce0, segment=0x626da0, ctx=0x619240)
    at jbig2_symbol_dict.c:496
#3  jbig2_symbol_dictionary (ctx=ctx@entry=0x619240, segment=segment@entry=0x626da0, segment_data=<optimized out>) at jbig2_symbol_dict.c:996
#4  0x0000000000404530 in jbig2_parse_segment (ctx=ctx@entry=0x619240, segment=segment@entry=0x626da0, segment_data=<optimized out>) at jbig2_segment.c:234
#5  0x0000000000403a21 in jbig2_data_in (ctx=ctx@entry=0x619240, data=data@entry=0x7fffffffce60 "\227JB2\r\n\032\n\001", size=<optimized out>) at jbig2.c:312
#6  0x0000000000401697 in main (argc=<optimized out>, argv=0x7fffffffdf88) at jbig2dec.c:456

#Analysis
See attachment

Comment 1 Young_X 2017-05-23 18:58:57 UTC

Created attachment 13711 [details]
analysis

Comment 2 Shailesh Mistry 2017-05-27 12:00:06 UTC

Fixed in http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3ebffb1d96ba0cacec23016eccb4047dab365853