[Poppler-bugs] [Bug 54090] Problems sent by Mateusz Jurczyk and Gynvael Coldwind

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Sep 4 01:17:21 PDT 2012


https://bugs.freedesktop.org/show_bug.cgi?id=54090

--- Comment #20 from Thomas Freitag <Thomas.Freitag at alfa.de> 2012-09-04 08:17:21 UTC ---
(In reply to comment #16)
> Created attachment 66582 [details] [review]
> Patch for 782.pdf.SIGSEGV.68.1144
> 
> Check for EOF in JPXStream::getImageParams() when skipping over unknown box
> types in the header.  An invalid header in this pdf has an item with a length
> of 3255930980, and the valgrind run wouldn't complete in a reasonable time.
> 
> Initialize img.ySize in JPXStream::readBoxes().  If the header turned out to be
> invalid, JPXStream::reset() set curY to an uninitialized value, which caused
> valgrind to complain on a test at the top of JPXStream::fillReadBuf().

The problem here seems to be, that the loop in JBIG2Stream::readSymbolDictSeg

  while (i < numNewSyms) {
:::

never will end, because

      arithDecoder->decodeInt(&dh, iadhStats);

works and add dh to symHeight, but

arithDecoder->decodeInt(&dw, iadwStats) 

will return false and therefore it loops forever. If I add something like

    symHeight += dh;
    if (symHeight > 0x40000000) {
      error(errSyntaxError, curStr->getPos(), "Bad height value in JBIG2 symbol
dictionary");
      goto syntaxError;
    }

it loops a long time, but it will finish, and the PDF finishes without any
further problems. Once again, I want to regtest that first.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


More information about the Poppler-bugs mailing list