[Poppler-bugs] [Bug 54090] Problems sent by Mateusz Jurczyk and Gynvael Coldwind
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Sep 4 01:17:21 PDT 2012
https://bugs.freedesktop.org/show_bug.cgi?id=54090
--- Comment #20 from Thomas Freitag <Thomas.Freitag at alfa.de> 2012-09-04 08:17:21 UTC ---
(In reply to comment #16)
> Created attachment 66582 [details] [review]
> Patch for 782.pdf.SIGSEGV.68.1144
>
> Check for EOF in JPXStream::getImageParams() when skipping over unknown box
> types in the header. An invalid header in this pdf has an item with a length
> of 3255930980, and the valgrind run wouldn't complete in a reasonable time.
>
> Initialize img.ySize in JPXStream::readBoxes(). If the header turned out to be
> invalid, JPXStream::reset() set curY to an uninitialized value, which caused
> valgrind to complain on a test at the top of JPXStream::fillReadBuf().
The problem here seems to be, that the loop in JBIG2Stream::readSymbolDictSeg
while (i < numNewSyms) {
:::
never will end, because
arithDecoder->decodeInt(&dh, iadhStats);
works and add dh to symHeight, but
arithDecoder->decodeInt(&dw, iadwStats)
will return false and therefore it loops forever. If I add something like
symHeight += dh;
if (symHeight > 0x40000000) {
error(errSyntaxError, curStr->getPos(), "Bad height value in JBIG2 symbol
dictionary");
goto syntaxError;
}
it loops a long time, but it will finish, and the PDF finishes without any
further problems. Once again, I want to regtest that first.
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Poppler-bugs
mailing list