[gs-bugs] [Bug 692571] crash with Ghostscript 9.04 on Windows XP

bugzilla-daemon at ghostscript.com bugzilla-daemon at ghostscript.com
Sun Oct 9 18:55:43 UTC 2011 

http://bugs.ghostscript.com/show_bug.cgi?id=692571

Ray Johnston <ray.johnston at artifex.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |

--- Comment #11 from Ray Johnston <ray.johnston at artifex.com> 2011-10-09 18:55:41 UTC ---
While this (sort of) avoids the segfault, we _still_ are getting garbage data
into the decoder. The -Zw output still shows:

[w]Luratech JBIG2 info Segment number           :  824193056
[w]Luratech JBIG2 WARNING Skipping segment         :  824193056
[w]Luratech JBIG2 WARNING Unknown segment type     :  47
[w]Luratech JBIG2 info Segment type             :  47 (Unknown)
[w]Luratech JBIG2 info Referred to segments     :  3
[w]Luratech JBIG2 info Page association         :  840970272
[w]Luratech JBIG2 WARNING Unable to find requested segment!
[w]Luratech JBIG2 WARNING Unable to find referred-to segment (1779055676)!
[w]Luratech JBIG2 WARNING Attempting to continue decoding!
[w]Luratech JBIG2 WARNING Retain bit should be 1 for referred to segment
(1779055676)!
[w]Luratech JBIG2 WARNING Attempting to continue decoding!
[w]Luratech JBIG2 WARNING Unable to find requested segment!
[w]Luratech JBIG2 WARNING Unable to find referred-to segment (793535854)!
[w]Luratech JBIG2 WARNING Attempting to continue decoding!
[w]Luratech JBIG2 WARNING Retain bit should be 1 for referred to segment
(793535854)!
[w]Luratech JBIG2 WARNING Attempting to continue decoding!
[w]Luratech JBIG2 WARNING Unable to find requested segment!
[w]Luratech JBIG2 WARNING Unable to find referred-to segment (1735682080)!
[w]Luratech JBIG2 WARNING Attempting to continue decoding!
[w]Luratech JBIG2 WARNING Retain bit should be 1 for referred to segment
(1735682080)!
[w]Luratech JBIG2 WARNING Attempting to continue decoding!
[w]Luratech JBIG2 info Segment data position    :  178298 (824193056)

The data being read after segment 45 is actually from the next object.
Memory dump:
0x01D038B6  31 20 30 20 6f 62 6a 0a 3c 3c 2f 4c 65 6e 67 74  1 0 obj.<</Lengt
0x01D038C6  68 20 32 20 30 20 52 3e 3e 0a 73 74 72 65 61 6d  h 2 0 R>>.stream
0x01D038D6  0a 00 00 00 01 00 00 00 00 01 7f df 00 00 03 ff  ...........ß...ÿ

Since the data following a corrupted JBIG2 stream could be anything, I'm sure
we can move objects around and make this type of file still fail, although I
might have to try harder to come up with a segfault.

I maintain that we need to prevent reading into the header of another object
(per comment 9).

Re-opening for discussion.

Reopening

-- 
Configure bugmail: http://bugs.ghostscript.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the gs-bugs mailing list