Bug 36693 - poppler: crash on truncated JPEG/DCT stream
Summary: poppler: crash on truncated JPEG/DCT stream
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium minor
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-04-29 12:13 UTC by Tomas Hoger
Modified: 2011-07-19 23:56 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
Test case (3.61 KB, application/pdf)
2011-04-29 12:14 UTC, Tomas Hoger 		Details
View All

Description Tomas Hoger 2011-04-29 12:13:19 UTC 
Attached fuzzed PDF from Sauli Pahlman crashes poppler at or around DCTStream::reset.  The reason for the crash is that the file contains a truncated JPEG image which does not contain full image header.  jpeg_read_header() called from DCTStream::reset returns JPEG_SUSPENDED and some of the cinfo struct members are not properly set, causing a NULL pointer dereference crash on this specific file.

This change avoids the crash on this file:

index 78cd59d..e96ec5a 100644
--- a/poppler/DCTStream.cc
+++ b/poppler/DCTStream.cc
@@ -141,8 +141,7 @@ void DCTStream::reset() {
     }
   }
 
-  if (!setjmp(err.setjmp_buffer)) {
-    jpeg_read_header(&cinfo, TRUE);
+  if (!setjmp(err.setjmp_buffer) && jpeg_read_header(&cinfo, TRUE) != JPEG_SUSPENDED) {
 
     // figure out color transform
     if (colorXform == -1 && !cinfo.saw_Adobe_marker) {
Comment 1 Tomas Hoger 2011-04-29 12:14:14 UTC 
Created attachment 46166 [details]
Test case
Comment 2 Albert Astals Cid 2011-07-19 15:23:33 UTC 
Thanks for the patch, will be in the next release.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.