ref: 54d7ae33e6dfd2218c89809786a7b66898c2280a
parent: e0a50f1db9dc9adfe4b9001bed4c55a7dee56b31
author: Robin Watts <robin.watts@artifex.com>
date: Fri May 24 12:22:47 EDT 2013
JBIG2Dec: MUPDF fuzzing SEGV fixes The changes herein solve SEGVs (and valgrind failures) seen when fuzzing mupdf. The following are some files that show these up: tests_private/fuzzing/mupdf/280.pdf.SIGSEGV.93c.2002 tests_private/fuzzing/mupdf/1112.pdf.SIGSEGV.9ab.128 tests_private/fuzzing/mupdf/1136.pdf.SIGSEGV.93c.154
--- a/jbig2_generic.c
+++ b/jbig2_generic.c
@@ -71,6 +71,9 @@
printf("P4\n%d %d\n", GBW, GBH);#endif
+ if (GBW <= 0)
+ return 0;
+
for (y = 0; y < GBH; y++)
{uint32_t CONTEXT;
@@ -189,6 +192,9 @@
printf("P4\n%d %d\n", GBW, GBH);#endif
+ if (GBW <= 0)
+ return 0;
+
for (y = 0; y < GBH; y++)
{uint32_t CONTEXT;
@@ -259,6 +265,9 @@
printf("P4\n%d %d\n", GBW, GBH);#endif
+ if (GBW <= 0)
+ return 0;
+
for (y = 0; y < GBH; y++)
{uint32_t CONTEXT;
@@ -329,6 +338,9 @@
printf("P4\n%d %d\n", GBW, GBH);#endif
+ if (GBW <= 0)
+ return 0;
+
for (y = 0; y < GBH; y++)
{uint32_t CONTEXT;
@@ -399,6 +411,9 @@
#ifdef OUTPUT_PBM
printf("P4\n%d %d\n", GBW, GBH);#endif
+
+ if (GBW <= 0)
+ return 0;
for (y = 0; y < GBH; y++)
{--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -1084,6 +1084,7 @@
if (flags & 0x0100) {jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
"segment marks bitmap coding context as used (NYI)");
+ goto cleanup;
} else {int stats_size = params.SDTEMPLATE == 0 ? 65536 :
params.SDTEMPLATE == 1 ? 8192 : 1024;