shithub: jbig2

Download patch

ref: 54d7ae33e6dfd2218c89809786a7b66898c2280a
parent: e0a50f1db9dc9adfe4b9001bed4c55a7dee56b31
author: Robin Watts <[email protected]>
date: Fri May 24 12:22:47 EDT 2013

JBIG2Dec: MUPDF fuzzing SEGV fixes

The changes herein solve SEGVs (and valgrind failures) seen when
fuzzing mupdf. The following are some files that show these up:

tests_private/fuzzing/mupdf/280.pdf.SIGSEGV.93c.2002
tests_private/fuzzing/mupdf/1112.pdf.SIGSEGV.9ab.128
tests_private/fuzzing/mupdf/1136.pdf.SIGSEGV.93c.154

--- a/jbig2_generic.c
+++ b/jbig2_generic.c
@@ -71,6 +71,9 @@
   printf("P4\n%d %d\n", GBW, GBH);
 #endif
 
+  if (GBW <= 0)
+    return 0;
+
   for (y = 0; y < GBH; y++)
     {
       uint32_t CONTEXT;
@@ -189,6 +192,9 @@
   printf("P4\n%d %d\n", GBW, GBH);
 #endif
 
+  if (GBW <= 0)
+    return 0;
+
   for (y = 0; y < GBH; y++)
     {
       uint32_t CONTEXT;
@@ -259,6 +265,9 @@
   printf("P4\n%d %d\n", GBW, GBH);
 #endif
 
+  if (GBW <= 0)
+    return 0;
+
   for (y = 0; y < GBH; y++)
     {
       uint32_t CONTEXT;
@@ -329,6 +338,9 @@
   printf("P4\n%d %d\n", GBW, GBH);
 #endif
 
+  if (GBW <= 0)
+    return 0;
+
   for (y = 0; y < GBH; y++)
     {
       uint32_t CONTEXT;
@@ -399,6 +411,9 @@
 #ifdef OUTPUT_PBM
   printf("P4\n%d %d\n", GBW, GBH);
 #endif
+
+  if (GBW <= 0)
+    return 0;
 
   for (y = 0; y < GBH; y++)
     {
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -1084,6 +1084,7 @@
   if (flags & 0x0100) {
       jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
         "segment marks bitmap coding context as used (NYI)");
+      goto cleanup;
   } else {
       int stats_size = params.SDTEMPLATE == 0 ? 65536 :
           params.SDTEMPLATE == 1 ? 8192 : 1024;