Bug 694247 - Valgrind issues found by fuzzing in image_render_color_DeviceN (gxicolor.c:1112)
Summary: Valgrind issues found by fuzzing in image_render_color_DeviceN (gxicolor.c:1112)
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: JPX/JBIG2 encode/decode (show other bugs)
Version: master
Hardware: PC Linux
: P4 normal
Assignee: Sebastian Rasmussen
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-27 22:07 UTC by Marcos H. Woehrmann
Modified: 2019-02-09 01:01 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: 64

Attachments
log.txt (22.09 KB, text/plain)
2013-05-27 22:07 UTC, Marcos H. Woehrmann 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcos H. Woehrmann 2013-05-27 22:07:28 UTC 
Created attachment 9881 [details]
log.txt

Valgrind issues in the 64 bit build of ghostscript were found by fuzzing in image_render_color_DeviceN (gxicolor.c:1112) while reading these files. See the attached log.txt for details.

1220.pdf.asan.21.248.cups.300.1
1220.pdf.asan.21.248.psdcmyk.72.0
Comment 1 Michael Vrhel 2019-01-23 18:30:13 UTC 
With current head, the valgrind issues for this are related to openjpeg.  See below.  

Page 4
Warning: printer device has private dev_spec_op
openjpeg info: Start to read j2k main header (129).
openjpeg info: Main header has been correctly decoded.
==22517== Conditional jump or move depends on uninitialised value(s)
==22517==    at 0x63FE69: opj_j2k_need_nb_tile_parts_correction (j2k.c:8537)
==22517==    by 0x640756: opj_j2k_read_tile_header (j2k.c:8790)
==22517==    by 0x64540C: opj_j2k_decode_tiles (j2k.c:10667)
==22517==    by 0x63EE97: opj_j2k_exec (j2k.c:8096)
==22517==    by 0x6461C3: opj_j2k_decode (j2k.c:11017)
==22517==    by 0x64B392: opj_jp2_decode (jp2.c:1604)
==22517==    by 0x651A19: opj_decode (openjpeg.c:483)
==22517==    by 0x623A4B: decode_image (sjpx_openjpeg.c:410)
==22517==    by 0x624D02: s_opjd_process (sjpx_openjpeg.c:737)
==22517==    by 0x6C8A97: sreadbuf (stream.c:823)
==22517==    by 0x6C884B: s_process_read_buf (stream.c:749)
==22517==    by 0xB4504B: image_file_continue (zimage.c:523)
==22517==  Uninitialised value was created by a client request
==22517==    at 0x91D248: gs_heap_resize_object (gsmalloc.c:299)
==22517==    by 0x62510A: s_opjd_accumulate_input (sjpx_openjpeg.c:834)
==22517==    by 0x624BC6: s_opjd_process (sjpx_openjpeg.c:700)
==22517==    by 0x6C8A97: sreadbuf (stream.c:823)
==22517==    by 0x6C884B: s_process_read_buf (stream.c:749)
==22517==    by 0xB4504B: image_file_continue (zimage.c:523)
==22517==    by 0xAF3522: do_call_operator (interp.c:86)
==22517==    by 0xAF64A8: interp (interp.c:1292)
==22517==    by 0xAF3E71: gs_call_interp (interp.c:520)
==22517==    by 0xAF3C10: gs_interpret (interp.c:477)
==22517==    by 0xAE39BB: gs_main_interpret (imain.c:253)
==22517==    by 0xAE4D2B: gs_main_run_string_end (imain.c:768)

openjpeg info: Header of tile 1 / 1 has been read.
==22517== Conditional jump or move depends on uninitialised value(s)
==22517==    at 0x640F53: opj_j2k_decode_tile (j2k.c:8983)
==22517==    by 0x645445: opj_j2k_decode_tiles (j2k.c:10679)
==22517==    by 0x63EE97: opj_j2k_exec (j2k.c:8096)
==22517==    by 0x6461C3: opj_j2k_decode (j2k.c:11017)
==22517==    by 0x64B392: opj_jp2_decode (jp2.c:1604)
==22517==    by 0x651A19: opj_decode (openjpeg.c:483)
==22517==    by 0x623A4B: decode_image (sjpx_openjpeg.c:410)
==22517==    by 0x624D02: s_opjd_process (sjpx_openjpeg.c:737)
==22517==    by 0x6C8A97: sreadbuf (stream.c:823)
==22517==    by 0x6C884B: s_process_read_buf (stream.c:749)
==22517==    by 0xB4504B: image_file_continue (zimage.c:523)
==22517==    by 0xAF3522: do_call_operator (interp.c:86)
==22517==  Uninitialised value was created by a client request
==22517==    at 0x91D248: gs_heap_resize_object (gsmalloc.c:299)
==22517==    by 0x62510A: s_opjd_accumulate_input (sjpx_openjpeg.c:834)
==22517==    by 0x624BC6: s_opjd_process (sjpx_openjpeg.c:700)
==22517==    by 0x6C8A97: sreadbuf (stream.c:823)
==22517==    by 0x6C884B: s_process_read_buf (stream.c:749)
==22517==    by 0xB4504B: image_file_continue (zimage.c:523)
==22517==    by 0xAF3522: do_call_operator (interp.c:86)
==22517==    by 0xAF64A8: interp (interp.c:1292)
==22517==    by 0xAF3E71: gs_call_interp (interp.c:520)
==22517==    by 0xAF3C10: gs_interpret (interp.c:477)
==22517==    by 0xAE39BB: gs_main_interpret (imain.c:253)
==22517==    by 0xAE4D2B: gs_main_run_string_end (imain.c:768)
Comment 2 Sebastian Rasmussen 2019-01-24 03:09:03 UTC 
I have a tentative fix for this issue. At the moment this is in a local git format-patch named *Bug-694247*.patch in my home directory.
Comment 3 Sebastian Rasmussen 2019-02-09 01:01:12 UTC 
Fixed in 

commit a0421f035fd418d27fd2df80b896d97d3d6e87ea
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Thu Jan 24 03:55:57 2019 +0100

    Bug 694247: Do not confuse openjpeg input buffer usage with size.
    
    Previously s_opjd_accumulate_input() populated the openjpeg input data
    buffer and adjusted the buffer size and usage fields accordingly. The
    openjpeg callbacks for reading, skipping and seeking confused these two
    fields and used the buffer size instead of the buffer usage. This meant
    that there was a risk of reading uninitialized data.