Bug 700168 - Type confusion in JBIG2Decode
Summary: Type confusion in JBIG2Decode
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Default assignee
QA Contact: Bug traffic
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-13 11:48 UTC by Man Yue Mo
Modified: 2018-12-14 17:14 UTC (History)
3 users (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Man Yue Mo 2018-11-13 11:48:47 UTC
Hi,

There is a type confusion in JBIG2Decode. In `z_jbig2decode`, `sop` comes from the dictionary argument:

http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=psi/zfjbig2.c;h=a3d13a242ab84cf41e32af366630f4e447caf7d5;hb=2dceb0400c5a571f23070891b8a8028d04926de1#l75

It is then assumed to be of struct type without checking and used in `r_ptr`, with the result cast into `s_jbig2_global_data_t`. The following illustrates the type confusion issue:

gs -q -sDEVICE=ppmraw -dSAFER -dJBIG2
GS><</.jbig2globalctx 16#41 >> /JBIG2Decode filter
Segmentation fault (core dumped)

Tested on a build with commit 2dceb04.

Thank you very much for your help and please let me know if there is anything I can help.

By the way, when I filed the issue, the `Possible Duplicates` field showed up with some suggestions. As it only showed another ticket that I filed, I don't know if it would give suggestions of tickets from other people. I suggest that for security issues, the duplicate detection should only show tickets that the user filed, otherwise someone can just type in different security issue names in the title to potentially discover undisclosed security issues.

Best Regards,

Man Yue Mo
Comment 1 Ken Sharp 2018-11-14 10:05:50 UTC
Fixed in commit 606a22e77e7f081781e99e44644cd0119f559e03