697683 – jbig2dec-0.13 Integer Overflow in function jbig2_image_compose

Bug 697683 - jbig2dec-0.13 Integer Overflow in function jbig2_image_compose

Summary: jbig2dec-0.13 Integer Overflow in function jbig2_image_compose

Status:	NOTIFIED FIXED

Alias:	None

Product:	jbig2dec
Classification:	Unclassified
Component:	Parsing (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P1 normal
Assignee:	Shailesh Mistry

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-03-24 06:15 UTC by icepng
Modified:	2017-05-29 04:16 UTC (History)
CC List:	6 users (show)

See Also:
Customer:	128
Word Size:	---

Attachments
PoC_analysis (3.64 KB, application/x-zip-compressed) 2017-03-24 06:15 UTC, icepng	Details
jbig2dec (776.30 KB, application/x-gzip) 2017-03-27 21:56 UTC, icepng	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Ken Sharp 2017-03-24 06:28:11 UTC

Kindly don't go around adding people to the CC list without asking.

Comment 2 icepng 2017-03-24 06:38:44 UTC

(In reply to Ken Sharp from comment #1)
> Kindly don't go around adding people to the CC list without asking.

I'm Sorry for that.

Comment 4 Shailesh Mistry 2017-03-27 09:52:55 UTC

Testing this with the head code exits fine giving the following messages :-

[w] jbig2dec DEBUG segment 6 is associated with page 1 (segment 0x06)
[w] jbig2dec info Segment 6, flags=17, type=23, data_length=87 (segment 0x06)
[w] jbig2dec info halftone region: 32 x 36 @ (10,15) flags=01 (segment 0x06)
[w] jbig2dec info  grid 8 x -1 @ (0.0,0.0) vector (4.0,0.0) (segment 0x06)
jbig2dec FATAL ERROR decoding image: integer multiplication overflow from stride(1)*height(-1)
jbig2dec FATAL ERROR decoding image: failed to allocate 8x-1 image for GSPLANES (segment 0x06)
[w] jbig2dec WARNING unable to acquire gray-scale image, skipping halftone image (segment 0x06)

   **** Error: File has insufficient data for an image.
               Output may be incorrect.


Both jbig2dec and ghostscript exit gracefully without crashing.

Comment 5 icepng 2017-03-27 21:55:10 UTC

(In reply to Shailesh Mistry from comment #4)
> Testing this with the head code exits fine giving the following messages :-
> 
> [w] jbig2dec DEBUG segment 6 is associated with page 1 (segment 0x06)
> [w] jbig2dec info Segment 6, flags=17, type=23, data_length=87 (segment 0x06)
> [w] jbig2dec info halftone region: 32 x 36 @ (10,15) flags=01 (segment 0x06)
> [w] jbig2dec info  grid 8 x -1 @ (0.0,0.0) vector (4.0,0.0) (segment 0x06)
> jbig2dec FATAL ERROR decoding image: integer multiplication overflow from
> stride(1)*height(-1)
> jbig2dec FATAL ERROR decoding image: failed to allocate 8x-1 image for
> GSPLANES (segment 0x06)
> [w] jbig2dec WARNING unable to acquire gray-scale image, skipping halftone
> image (segment 0x06)
> 
>    **** Error: File has insufficient data for an image.
>                Output may be incorrect.
> 
> 
> Both jbig2dec and ghostscript exit gracefully without crashing.

hello,
   I used the version before Ken Sharp patched in Fri, 24 Mar 2017 19:47:33 +0800.

and attachment is the program I use.

Comment 6 icepng 2017-03-27 21:56:17 UTC

Created attachment 13496 [details]
jbig2dec

Comment 7 Henry Stiles 2017-04-22 06:40:58 UTC

P1 priority for customer security problem.

Comment 8 Shailesh Mistry 2017-05-10 11:23:55 UTC

Fixed in http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ed6c5133a1004ce8d