698877 – crash in fast_rgb_to_cmyk

Bug 698877 - crash in fast_rgb_to_cmyk

Summary: crash in fast_rgb_to_cmyk

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	mupdf (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-01-20 20:00 UTC by isabella
Modified:	2018-11-07 22:07 UTC (History)
CC List:	2 users (show)

See Also:
Customer:
Word Size:	---

Attachments
patch to fix the issue (912 bytes, patch) 2018-01-20 20:00 UTC, isabella	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description isabella 2018-01-20 20:00:18 UTC

Created attachment 14609 [details]
patch to fix the issue

fast_rgb_to_cmyk does this
if ((copy_spots || ss != ds) || (!da && sa)) 

it should probably do this instead
if ((copy_spots && ss != ds) || (!da && sa))

Comment 1 M.J.G. 2018-03-11 07:20:40 UTC

It's a bit strange to have this bug report here with a patch but without any report... In any case, I've got a bug report over at the fedora bz:

https://bugzilla.redhat.com/show_bug.cgi?id=1553915

It comes with a PDF that makes mupdf segfault with

mupdf: source/fitz/colorspace.c:1399: fast_rgb_to_cmyk: Assertion `"This should never happen" == NULL' failed.

which is why I quote it here. This is with mupdf-1.12.0-5.fc27.x86_64 which is 1.12.0 plus several patches for CVEs.

Comment 2 Tor Andersson 2018-11-07 22:07:36 UTC

commit a101366eeb06d375b32d96f305bce5bc131f7b03
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Tue Oct 16 15:43:17 2018 +0200

    Fix asserts and checks in fast_xxx_to_yyy functions.
    
    fast_rgb_to_cmyk had || instead of && so always triggered incorrectly.
    
    Only throw, no need to both assert and throw.