[gs-bugs] [Bug 692574] New: Libjasper: creating temp failed due to buffer overflow

bugzilla-daemon at ghostscript.com bugzilla-daemon at ghostscript.com
Fri Oct 7 13:07:56 UTC 2011


http://bugs.ghostscript.com/show_bug.cgi?id=692574

           Summary: Libjasper: creating temp failed due to buffer overflow
           Product: Ghostscript
           Version: 9.04
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P4
         Component: JPX/JBIG2 encode/decode
        AssignedTo: support at artifex.com
        ReportedBy: hjpriester at gmail.com
         QAContact: gs-bugs at ghostscript.com


when trying to convert a pdf to a png with GhostScript 9.04 the program failed
with the following error:
unable to decode JPX image data.

   **** Warning: File has insufficient data for an image.

   **** This file had errors that were repaired or ignored.
   **** The file was produced by: 
   **** >>>> Adobe Acrobat 8.12 Image Conversion Plug-in <<<<
   **** Please notify the author of the software that produced this
   **** file that it does not conform to Adobe's published PDF
   **** specification.

After debbuging this the problem was that the tempfilename was going to
exceeding the buffer size and no file was opened resulting in this error.

In my case TEMP was set to:  /local/users/hj/mytempdir

The temporary file object is defined as in: jas_stream.h 

typedef struct {
        int fd;
        int flags;
#ifndef _WIN32
        char pathname[L_tmpnam + 1];
#else
        char pathname[_MAX_PATH + 1];
#endif
} jas_stream_fileobj_t;

L_tmpnam is on Unix defined as 20 but is also intended for use in combination
with tmpnam and not with mkstemp. It looks the bug is introduced when using
mkstemp.

Proposal for fix:
change L_tmpnam into PATH_MAX  (+add limits.h)

#include <limits.h>
typedef struct {
        int fd;
        int flags;
#ifndef _WIN32
        char pathname[PATH_MAX + 1];
#else
        char pathname[_MAX_PATH + 1];
#endif
} jas_stream_fileobj_t;


In my case this fixes the problem.

-- 
Configure bugmail: http://bugs.ghostscript.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.


More information about the gs-bugs mailing list