Bug 700168

Summary: Type confusion in JBIG2Decode
Product: Ghostscript Reporter: Man Yue Mo <mmo>
Component: GeneralAssignee: Default assignee <ghostpdl-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: dr, jsmeix, till.kamppeter
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description Man Yue Mo 2018-11-13 11:48:47 UTC 
Hi,

There is a type confusion in JBIG2Decode. In `z_jbig2decode`, `sop` comes from the dictionary argument:

http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=psi/zfjbig2.c;h=a3d13a242ab84cf41e32af366630f4e447caf7d5;hb=2dceb0400c5a571f23070891b8a8028d04926de1#l75

It is then assumed to be of struct type without checking and used in `r_ptr`, with the result cast into `s_jbig2_global_data_t`. The following illustrates the type confusion issue:

gs -q -sDEVICE=ppmraw -dSAFER -dJBIG2
GS><</.jbig2globalctx 16#41 >> /JBIG2Decode filter
Segmentation fault (core dumped)

Tested on a build with commit 2dceb04.

Thank you very much for your help and please let me know if there is anything I can help.

By the way, when I filed the issue, the `Possible Duplicates` field showed up with some suggestions. As it only showed another ticket that I filed, I don't know if it would give suggestions of tickets from other people. I suggest that for security issues, the duplicate detection should only show tickets that the user filed, otherwise someone can just type in different security issue names in the title to potentially discover undisclosed security issues.

Best Regards,

Man Yue Mo
Comment 1 Ken Sharp 2018-11-14 10:05:50 UTC 
Fixed in commit 606a22e77e7f081781e99e44644cd0119f559e03