Created attachment 41735 [details] patch to call setjmp before jpeg_create_decompress() Kouhei Sutou noticed that DCTStream::init() does not setjmp before calling jpeg_create_decompress(), which may call error_exit in exceptional cases and cause longjmp with an uninitialized jmp_buf. I may be paranoiac here, but anyway I'm attaching a patch.
Your patch is not correct, it will leave row_buffer unitialized if it fails and the program will crash afterwards anyway. Please handle correctly the failure case
Created attachment 41782 [details] [review] patch to call setjmp before jpeg_create_decompress() Thanks. The attached patch makes sure to initialize row_buffer even if jpeg_create_decompress() fails. Though DCTStream still keeps uninitialized cinfo after failure, I think that it is safe since each jpeg_*() checks the state internally.
There's still something that needs improvement, i did diff --git a/poppler/DCTStream.cc b/poppler/DCTStream.cc index 212a8bd..34db5bf 100644 --- a/poppler/DCTStream.cc +++ b/poppler/DCTStream.cc @@ -91,8 +91,10 @@ void DCTStream::init() limit = NULL; cinfo.err = &jerr; - jpeg_create_decompress(&cinfo); - cinfo.src = (jpeg_source_mgr *)&src; + if (false && !setjmp(src.setjmp_buffer)) { + jpeg_create_decompress(&cinfo); + cinfo.src = (jpeg_source_mgr *)&src; + } row_buffer = NULL; } To simulate a "failure" of jpeg_create_decompress and then ran pdftoppm over a file that uses that code and still crashes. Could you try to find what is the problem?
Created attachment 41798 [details] [review] patch to call setjmp before jpeg_create_decompress() Right, sorry for bothering you. I'm attaching a new patch, which I tested with: - edit /usr/include/jpeglib.h to change JPEG_LIB_VERSION (80 -> 81 here) - rebuild poppler - run cpp/tests/poppler-render -o foo.png ~/pdf-embedding-jpeg.pdf Actually the previous patches crash poppler-render :-(
Created attachment 41799 [details] [review] patch to call setjmp before jpeg_create_decompress() Sorry again, the previous patch breaks the normal case... This patch should work with both cases.
Created attachment 41802 [details] [review] patch to call setjmp before jpeg_create_decompress() Moved setjmp_buffer from str_src_mgr to a wrapper struct of jpeg_error_mgr so as to catch failures after cinfo->src is cleared in jpeg_create_decompress().
Commited, thanks.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.