=================BUG_1================= JPXStream::readTilePartData received SIGSEGV Memory Corruption Vulnerability Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb4bc1b40 (LWP 17603)] [----------------------------------registers-----------------------------------] EAX: 0x41 ('A') EBX: 0xb43a9ff4 --> 0x1b0ba4 ECX: 0x0 EDX: 0xb4e35bf0 --> 0xb43a72c8 --> 0xb4258390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) ESI: 0xb4e16388 --> 0xb43a7b88 --> 0xb42a4ff0 (<_ZN23GfxDeviceGrayColorSpaceD2Ev>: push ebx) EDI: 0xb4e35bf0 --> 0xb43a72c8 --> 0xb4258390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) EBP: 0x67cd3c20 ESP: 0xb4bc0660 --> 0xb4e00048 --> 0xb4e25448 --> 0x0 EIP: 0xb425b1b9 (<_ZN9JPXStream16readTilePartDataEjjb+137>: mov edi,DWORD PTR [ebp+0x48]) EFLAGS: 0x10a03 (CARRY parity adjust zero sign trap INTERRUPT direction OVERFLOW) [-------------------------------------code-------------------------------------] 0xb425b1a8 <_ZN9JPXStream16readTilePartDataEjjb+120>: mov eax,DWORD PTR [esp+0xa8] 0xb425b1af <_ZN9JPXStream16readTilePartDataEjjb+127>: mov esi,DWORD PTR [edx+0x28] 0xb425b1b2 <_ZN9JPXStream16readTilePartDataEjjb+130>: mov edx,DWORD PTR [esp+0xa0] => 0xb425b1b9 <_ZN9JPXStream16readTilePartDataEjjb+137>: mov edi,DWORD PTR [ebp+0x48] 0xb425b1bc <_ZN9JPXStream16readTilePartDataEjjb+140>: mov DWORD PTR [esp+0x48],ebp 0xb425b1c0 <_ZN9JPXStream16readTilePartDataEjjb+144>: mov DWORD PTR [esp+0x4],eax 0xb425b1c4 <_ZN9JPXStream16readTilePartDataEjjb+148>: mov DWORD PTR [esp],edx 0xb425b1c7 <_ZN9JPXStream16readTilePartDataEjjb+151>: call 0xb425b0d0 <_ZN9JPXStream11startBitBufEj> [------------------------------------stack-------------------------------------] 0000| 0xb4bc0660 --> 0xb4e00048 --> 0xb4e25448 --> 0x0 0004| 0xb4bc0664 --> 0x1 0008| 0xb4bc0668 --> 0x400 0012| 0xb4bc066c --> 0x48 ('H') 0016| 0xb4bc0670 --> 0x10 0020| 0xb4bc0674 --> 0x418 0024| 0xb4bc0678 --> 0x2 0028| 0xb4bc067c --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0xb425b1b9 in JPXStream::readTilePartData(unsigned int, unsigned int, bool) () from /usr/lib/i386-linux-gnu/libpoppler.so.19 gdb-peda$ =========(gdb exploitable log)============= Linux 3.2 Ubuntu 12.04.1 LTS Evince 3.4.0 Program received signal SIGSEGV, Segmentation fault. — Trace 234617 Thread 3045059392 (LWP 2951) #0 JPXStream::readTilePartData(unsigned int, unsigned int, bool) from /usr/lib/i386-linux-gnu/libpoppler.so.19 #1 JPXStream::readTilePart() from /usr/lib/i386-linux-gnu/libpoppler.so.19 #2 JPXStream::readCodestream(unsigned int) from /usr/lib/i386-linux-gnu/libpoppler.so.19 #3 JPXStream::readBoxes() from /usr/lib/i386-linux-gnu/libpoppler.so.19 #4 JPXStream::reset() from /usr/lib/i386-linux-gnu/libpoppler.so.19 #5 ImageStream::reset() from /usr/lib/i386-linux-gnu/libpoppler.so.19 #6 CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) from /usr/lib/i386-linux-gnu/libpoppler-glib.so.8 #7 Gfx::doImage(Object*, Stream*, bool) from /usr/lib/i386-linux-gnu/libpoppler.so.19 #8 Gfx::opXObject(Object*, int) from /usr/lib/i386-linux-gnu/libpoppler.so.19 #9 Gfx::execOp(Object*, Object*, int) from /usr/lib/i386-linux-gnu/libpoppler.so.19 #10 Gfx::go(bool) from /usr/lib/i386-linux-gnu/libpoppler.so.19 #11 Gfx::display(Object*, bool) from /usr/lib/i386-linux-gnu/libpoppler.so.19 #12 Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, Catalog*, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) from /usr/lib/i386-linux-gnu/libpoppler.so.19 #13 ?? from /usr/lib/i386-linux-gnu/libpoppler-glib.so.8 #14 ?? from /usr/lib/evince/4/backends/libpdfdocument.so #15 ?? from /usr/lib/evince/4/backends/libpdfdocument.so #16 ev_document_render from /usr/lib/libevdocument3.so.4 #17 ?? from /usr/lib/libevview3.so.3 #18 ev_job_run from /usr/lib/libevview3.so.3 #19 ?? from /usr/lib/libevview3.so.3 #20 ?? from /lib/i386-linux-gnu/libglib-2.0.so.0 #21 start_thread at pthread_create.c line 308 #22 clone at ../sysdeps/unix/sysv/linux/i386/clone.S line 130 eax 0x41 65 ecx 0x0 0 edx 0xb3dcae98 -1277383016 ebx 0xb43ffff4 -1270874124 esp 0xb57fd660 0xb57fd660 ebp 0xfdacfda5 0xfdacfda5 esi 0x40844800 1082411008 edi 0xb3dcae98 -1277383016 eip 0xb42b11b9 0xb42b11b9 <JPXStream::readTilePartData(unsigned int, unsigned int, bool)+137> eflags 0x10286 [ PF SF IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 => 0xb42b11b9 <_ZN9JPXStream16readTilePartDataEjjb+137>: mov edi,DWORD PTR [ebp+0x48] Dump of assembler code for function _ZN9JPXStream16readTilePartDataEjjb: 0xb42b1130 <+0>: push ebp 0xb42b1131 <+1>: push edi 0xb42b1132 <+2>: push esi 0xb42b1133 <+3>: push ebx 0xb42b1134 <+4>: sub esp,0x8c 0xb42b113a <+10>: mov ebp,DWORD PTR [esp+0xa0] 0xb42b1141 <+17>: imul esi,DWORD PTR [esp+0xa4],0x34 0xb42b1149 <+25>: call 0xb42a1b47 0xb42b114e <+30>: add ebx,0x14eea6 0xb42b1154 <+36>: movzx edx,BYTE PTR [esp+0xac] 0xb42b115c <+44>: mov ebp,DWORD PTR [ebp+0xb4] 0xb42b1162 <+50>: mov BYTE PTR [esp+0x6f],dl 0xb42b1166 <+54>: add esi,ebp 0xb42b1168 <+56>: mov DWORD PTR [esp+0x34],esi 0xb42b116c <+60>: cmp BYTE PTR [esp+0x6f],0x0 0xb42b1171 <+65>: jne 0xb42b1182 <_ZN9JPXStream16readTilePartDataEjjb+82> 0xb42b1173 <+67>: mov eax,DWORD PTR [esp+0xa8] 0xb42b117a <+74>: test eax,eax 0xb42b117c <+76>: je 0xb42b18bd <_ZN9JPXStream16readTilePartDataEjjb+1933> 0xb42b1182 <+82>: mov edx,DWORD PTR [esp+0x34] 0xb42b1186 <+86>: mov esi,DWORD PTR [esp+0x34] 0xb42b118a <+90>: mov ebp,DWORD PTR [esp+0x34] 0xb42b118e <+94>: imul edx,DWORD PTR [edx+0x20],0x58 0xb42b1192 <+98>: mov esi,DWORD PTR [esi+0x30] 0xb42b1195 <+101>: imul ebp,DWORD PTR [ebp+0x24],0x4c 0xb42b1199 <+105>: add edx,esi 0xb42b119b <+107>: mov eax,DWORD PTR [edx+0x54] 0xb42b119e <+110>: mov DWORD PTR [esp+0x44],edx 0xb42b11a2 <+114>: mov edx,DWORD PTR [esp+0x34] 0xb42b11a6 <+118>: add ebp,eax 0xb42b11a8 <+120>: mov eax,DWORD PTR [esp+0xa8] 0xb42b11af <+127>: mov esi,DWORD PTR [edx+0x28] 0xb42b11b2 <+130>: mov edx,DWORD PTR [esp+0xa0] => 0xb42b11b9 <+137>: mov edi,DWORD PTR [ebp+0x48] 0xb42b11bc <+140>: mov DWORD PTR [esp+0x48],ebp 0xb42b11c0 <+144>: mov DWORD PTR [esp+0x4],eax 0xb42b11c4 <+148>: mov DWORD PTR [esp],edx 0xb42b11c7 <+151>: call 0xb42b10d0 <_ZN9JPXStream11startBitBufEj> 0xb42b11cc <+156>: mov ebp,DWORD PTR [esp+0xa0] 0xb42b11d3 <+163>: lea ecx,[esp+0x7c] 0xb42b11d7 <+167>: mov DWORD PTR [esp+0x8],ecx 0xb42b11db <+171>: mov DWORD PTR [esp+0x4],0x1 0xb42b11e3 <+179>: mov DWORD PTR [esp],ebp 0xb42b11e6 <+182>: call 0xb42b0fd0 <_ZN9JPXStream8readBitsEiPj> 0xb42b11eb <+187>: test al,al 0xb42b11ed <+189>: je 0xb42b15e3 <_ZN9JPXStream16readTilePartDataEjjb+1203> 0xb42b11f3 <+195>: lea eax,[esi+esi*4] 0xb42b11f6 <+198>: lea eax,[edi+eax*4] 0xb42b11f9 <+201>: mov DWORD PTR [esp+0x40],eax 0xb42b11fd <+205>: mov eax,DWORD PTR [esp+0x7c] 0xb42b1201 <+209>: test eax,eax 0xb42b1203 <+211>: je 0xb42b14d8 <_ZN9JPXStream16readTilePartDataEjjb+936> 0xb42b1209 <+217>: mov esi,DWORD PTR [esp+0x34] 0xb42b120d <+221>: mov DWORD PTR [esp+0x64],0x0 0xb42b1215 <+229>: mov DWORD PTR [esp+0x60],0x0 0xb42b121d <+237>: mov edx,DWORD PTR [esi+0x24] 0xb42b1220 <+240>: cmp edx,0x1 0xb42b1223 <+243>: sbb eax,eax 0xb42b1225 <+245>: and eax,0xfffffffe 0xb42b1228 <+248>: add eax,0x3 0xb42b122b <+251>: cmp DWORD PTR [esp+0x60],eax 0xb42b122f <+255>: jae 0xb42b13c8 <_ZN9JPXStream16readTilePartDataEjjb+664> 0xb42b1235 <+261>: mov ebp,DWORD PTR [esp+0x40] 0xb42b1239 <+265>: mov edi,DWORD PTR [esp+0x64] 0xb42b123d <+269>: add edi,DWORD PTR [ebp+0x10] 0xb42b1240 <+272>: mov eax,DWORD PTR [edi+0x14] 0xb42b1243 <+275>: test eax,eax 0xb42b1245 <+277>: je 0xb42b13b2 <_ZN9JPXStream16readTilePartDataEjjb+642> 0xb42b124b <+283>: mov edx,DWORD PTR [edi+0x10] 0xb42b124e <+286>: mov DWORD PTR [esp+0x3c],0x0 0xb42b1256 <+294>: test edx,edx 0xb42b1258 <+296>: je 0xb42b1399 <_ZN9JPXStream16readTilePartDataEjjb+617> 0xb42b125e <+302>: mov DWORD PTR [esp+0x30],0x0 0xb42b1266 <+310>: mov esi,DWORD PTR [esp+0x3c] 0xb42b126a <+314>: imul esi,edx 0xb42b126d <+317>: add esi,DWORD PTR [esp+0x30] 0xb42b1271 <+321>: imul esi,esi,0x38 0xb42b1274 <+324>: add esi,DWORD PTR [edi+0x24] 0xb42b1277 <+327>: mov eax,DWORD PTR [esi+0x8] 0xb42b127a <+330>: cmp DWORD PTR [esi],eax 0xb42b127c <+332>: jae 0xb42b1383 <_ZN9JPXStream16readTilePartDataEjjb+595> 0xb42b1282 <+338>: mov ecx,DWORD PTR [esi+0xc] 0xb42b1285 <+341>: cmp DWORD PTR [esi+0x4],ecx 0xb42b1288 <+344>: jae 0xb42b1383 <_ZN9JPXStream16readTilePartDataEjjb+595> 0xb42b128e <+350>: cmp BYTE PTR [esi+0x10],0x0 0xb42b1292 <+354>: jne 0xb42b1611 <_ZN9JPXStream16readTilePartDataEjjb+1249> 0xb42b1298 <+360>: mov ecx,DWORD PTR [edi+0x18] 0xb42b129b <+363>: test ecx,ecx 0xb42b129d <+365>: mov DWORD PTR [esp+0x38],ecx 0xb42b12a1 <+369>: js 0xb42b17c0 <_ZN9JPXStream16readTilePartDataEjjb+1680> 0xb42b12a7 <+375>: mov ebp,DWORD PTR [esp+0x34] 0xb42b12ab <+379>: mov eax,DWORD PTR [edi+0x1c] 0xb42b12ae <+382>: mov DWORD PTR [esp+0x54],0x0 0xb42b12b6 <+390>: mov DWORD PTR [esp+0x2c],0x0 0xb42b12be <+398>: mov ecx,DWORD PTR [ebp+0x2c] 0xb42b12c1 <+401>: mov DWORD PTR [esp+0x4c],esi 0xb42b12c5 <+405>: mov ebp,ecx 0xb42b12c7 <+407>: movzx ecx,BYTE PTR [esp+0x38] 0xb42b12cc <+412>: mov esi,0x1 0xb42b12d1 <+417>: shl esi,cl 0xb42b12d3 <+419>: lea edx,[esi+edx*1-0x1] 0xb42b12d7 <+423>: mov DWORD PTR [esp+0x58],esi 0xb42b12db <+427>: mov esi,DWORD PTR [edi+0x14] 0xb42b12de <+430>: shr edx,cl 0xb42b12e0 <+432>: mov DWORD PTR [esp+0x50],edx 0xb42b12e4 <+436>: mov edx,DWORD PTR [esp+0x30] 0xb42b12e8 <+440>: mov DWORD PTR [esp+0x68],esi 0xb42b12ec <+444>: mov esi,DWORD PTR [esp+0x54] 0xb42b12f0 <+448>: shr edx,cl 0xb42b12f2 <+450>: add esi,edx 0xb42b12f4 <+452>: mov edx,DWORD PTR [esp+0x3c] 0xb42b12f8 <+456>: shr edx,cl 0xb42b12fa <+458>: imul edx,DWORD PTR [esp+0x50] 0xb42b12ff <+463>: add esi,edx 0xb42b1301 <+465>: shl esi,0x3 0xb42b1304 <+468>: mov ecx,esi 0xb42b1306 <+470>: add ecx,eax 0xb42b1308 <+472>: movzx edx,BYTE PTR [ecx] 0xb42b130b <+475>: mov DWORD PTR [esp+0x24],esi 0xb42b130f <+479>: mov esi,DWORD PTR [ecx+0x4] 0xb42b1312 <+482>: test dl,dl 0xb42b1314 <+484>: jne 0xb42b17de <_ZN9JPXStream16readTilePartDataEjjb+1710> 0xb42b131a <+490>: test esi,esi 0xb42b131c <+492>: mov DWORD PTR [esp+0x5c],esi 0xb42b1320 <+496>: jne 0xb42b17da <_ZN9JPXStream16readTilePartDataEjjb+1706> 0xb42b1326 <+502>: mov esi,DWORD PTR [esp+0x2c] 0xb42b132a <+506>: mov DWORD PTR [ecx+0x4],esi 0xb42b132d <+509>: mov esi,DWORD PTR [esp+0x24] 0xb42b1331 <+513>: lea esi,[esi+eiz*1+0x0] 0xb42b1338 <+520>: test dl,dl 0xb42b133a <+522>: je 0xb42b1758 <_ZN9JPXStream16readTilePartDataEjjb+1576> 0xb42b1340 <+528>: mov esi,DWORD PTR [esp+0x2c] 0xb42b1344 <+532>: cmp esi,ebp 0xb42b1346 <+534>: mov DWORD PTR [ecx+0x4],esi 0xb42b1349 <+537>: ja 0xb42b18c7 <_ZN9JPXStream16readTilePartDataEjjb+1943> 0xb42b134f <+543>: mov ecx,DWORD PTR [esp+0x58] 0xb42b1353 <+547>: mov esi,DWORD PTR [esp+0x68] 0xb42b1357 <+551>: lea edx,[ecx+esi*1-0x1] 0xb42b135b <+555>: movzx ecx,BYTE PTR [esp+0x38] 0xb42b1360 <+560>: sub DWORD PTR [esp+0x38],0x1 0xb42b1365 <+565>: shr edx,cl 0xb42b1367 <+567>: imul edx,DWORD PTR [esp+0x50] 0xb42b136c <+572>: add DWORD PTR [esp+0x54],edx 0xb42b1370 <+576>: cmp DWORD PTR [esp+0x38],0xffffffff 0xb42b1375 <+581>: je 0xb42b18c7 <_ZN9JPXStream16readTilePartDataEjjb+1943> 0xb42b137b <+587>: mov edx,DWORD PTR [edi+0x10] 0xb42b137e <+590>: jmp 0xb42b12c7 <_ZN9JPXStream16readTilePartDataEjjb+407> 0xb42b1383 <+595>: mov DWORD PTR [esi+0x20],0x0 0xb42b138a <+602>: add DWORD PTR [esp+0x30],0x1 0xb42b138f <+607>: cmp edx,DWORD PTR [esp+0x30] 0xb42b1393 <+611>: ja 0xb42b1266 <_ZN9JPXStream16readTilePartDataEjjb+310> 0xb42b1399 <+617>: add DWORD PTR [esp+0x3c],0x1 0xb42b139e <+622>: mov esi,DWORD PTR [esp+0x3c] 0xb42b13a2 <+626>: cmp DWORD PTR [edi+0x14],esi 0xb42b13a5 <+629>: ja 0xb42b1256 <_ZN9JPXStream16readTilePartDataEjjb+294> 0xb42b13ab <+635>: mov ebp,DWORD PTR [esp+0x34] 0xb42b13af <+639>: mov edx,DWORD PTR [ebp+0x24] 0xb42b13b2 <+642>: add DWORD PTR [esp+0x60],0x1 0xb42b13b7 <+647>: add DWORD PTR [esp+0x64],0x28 0xb42b13bc <+652>: jmp 0xb42b1220 <_ZN9JPXStream16readTilePartDataEjjb+240> 0xb42b13c1 <+657>: lea esi,[esi+eiz*1+0x0] 0xb42b13c8 <+664>: mov edx,DWORD PTR [esp+0xa0] 0xb42b13cf <+671>: mov DWORD PTR [esp],edx 0xb42b13d2 <+674>: call 0xb42b10f0 <_ZN9JPXStream12finishBitBufEv> 0xb42b13d7 <+679>: mov esi,DWORD PTR [esp+0x34] 0xb42b13db <+683>: mov DWORD PTR [esp+0x38],0x0 0xb42b13e3 <+691>: mov DWORD PTR [esp+0x30],0x0 0xb42b13eb <+699>: mov ecx,DWORD PTR [esi+0x24] 0xb42b13ee <+702>: mov DWORD PTR [esp+0xa8],eax 0xb42b13f5 <+709>: cmp ecx,0x1 0xb42b13f8 <+712>: sbb eax,eax 0xb42b13fa <+714>: and eax,0xfffffffe 0xb42b13fd <+717>: add eax,0x3 0xb42b1400 <+720>: cmp DWORD PTR [esp+0x30],eax 0xb42b1404 <+724>: jae 0xb42b190b <_ZN9JPXStream16readTilePartDataEjjb+2011> 0xb42b140a <+730>: mov edx,DWORD PTR [esp+0x40] 0xb42b140e <+734>: mov ebp,DWORD PTR [esp+0x38] 0xb42b1412 <+738>: add ebp,DWORD PTR [edx+0x10] 0xb42b1415 <+741>: mov eax,DWORD PTR [ebp+0x14] 0xb42b1418 <+744>: test eax,eax 0xb42b141a <+746>: je 0xb42b14bc <_ZN9JPXStream16readTilePartDataEjjb+908> 0xb42b1420 <+752>: mov eax,DWORD PTR [ebp+0x10] 0xb42b1423 <+755>: xor edx,edx 0xb42b1425 <+757>: xor edi,edi 0xb42b1427 <+759>: test eax,eax 0xb42b1429 <+761>: jne 0xb42b1437 <_ZN9JPXStream16readTilePartDataEjjb+775> 0xb42b142b <+763>: jmp 0xb42b14b0 <_ZN9JPXStream16readTilePartDataEjjb+896> 0xb42b1430 <+768>: add edi,0x1 0xb42b1433 <+771>: cmp eax,edi 0xb42b1435 <+773>: jbe 0xb42b14b0 <_ZN9JPXStream16readTilePartDataEjjb+896> 0xb42b1437 <+775>: mov esi,eax 0xb42b1439 <+777>: imul esi,edx 0xb42b143c <+780>: add esi,edi 0xb42b143e <+782>: imul esi,esi,0x38 0xb42b1441 <+785>: add esi,DWORD PTR [ebp+0x24] 0xb42b1444 <+788>: cmp DWORD PTR [esi+0x20],0x0 0xb42b1448 <+792>: je 0xb42b1430 <_ZN9JPXStream16readTilePartDataEjjb+768> 0xb42b144a <+794>: mov eax,DWORD PTR [esp+0x30] 0xb42b144e <+798>: mov DWORD PTR [esp+0x14],ecx 0xb42b1452 <+802>: mov ecx,DWORD PTR [esp+0x40] 0xb42b1456 <+806>: mov DWORD PTR [esp+0x28],edx 0xb42b145a <+810>: mov DWORD PTR [esp+0x1c],esi 0xb42b145e <+814>: mov DWORD PTR [esp+0x18],eax 0xb42b1462 <+818>: mov eax,DWORD PTR [esp+0x48] 0xb42b1466 <+822>: mov DWORD PTR [esp+0xc],ecx 0xb42b146a <+826>: mov ecx,DWORD PTR [esp+0x44] 0xb42b146e <+830>: mov DWORD PTR [esp+0x10],ebp 0xb42b1472 <+834>: mov DWORD PTR [esp+0x8],eax 0xb42b1476 <+838>: mov eax,DWORD PTR [esp+0xa0] 0xb42b147d <+845>: mov DWORD PTR [esp+0x4],ecx 0xb42b1481 <+849>: mov DWORD PTR [esp],eax 0xb42b1484 <+852>: call 0xb42ae7a0 <_ZN9JPXStream17readCodeBlockDataEP11JPXTileCompP11JPXResLevelP11JPXPrecinctP10JPXSubbandjjP12JPXCodeBlock> 0xb42b1489 <+857>: mov edx,DWORD PTR [esp+0x28] 0xb42b148d <+861>: test al,al 0xb42b148f <+863>: je 0xb42b14cb <_ZN9JPXStream16readTilePartDataEjjb+923> 0xb42b1491 <+865>: mov eax,DWORD PTR [ebp+0x10] 0xb42b1494 <+868>: add edi,0x1 0xb42b1497 <+871>: mov ecx,DWORD PTR [esi+0x28] 0xb42b149a <+874>: mov BYTE PTR [esi+0x10],0x1 0xb42b149e <+878>: mov esi,DWORD PTR [esp+0x34] 0xb42b14a2 <+882>: sub DWORD PTR [esp+0xa8],ecx 0xb42b14a9 <+889>: cmp eax,edi 0xb42b14ab <+891>: mov ecx,DWORD PTR [esi+0x24] 0xb42b14ae <+894>: ja 0xb42b1437 <_ZN9JPXStream16readTilePartDataEjjb+775> 0xb42b14b0 <+896>: add edx,0x1 0xb42b14b3 <+899>: cmp DWORD PTR [ebp+0x14],edx 0xb42b14b6 <+902>: ja 0xb42b1425 <_ZN9JPXStream16readTilePartDataEjjb+757> 0xb42b14bc <+908>: add DWORD PTR [esp+0x30],0x1 0xb42b14c1 <+913>: add DWORD PTR [esp+0x38],0x28 0xb42b14c6 <+918>: jmp 0xb42b13f5 <_ZN9JPXStream16readTilePartDataEjjb+709> 0xb42b14cb <+923>: xor eax,eax 0xb42b14cd <+925>: add esp,0x8c 0xb42b14d3 <+931>: pop ebx 0xb42b14d4 <+932>: pop esi 0xb42b14d5 <+933>: pop edi 0xb42b14d6 <+934>: pop ebp 0xb42b14d7 <+935>: ret 0xb42b14d8 <+936>: mov ebp,DWORD PTR [esp+0x34] 0xb42b14dc <+940>: mov DWORD PTR [esp+0x3c],0x0 0xb42b14e4 <+948>: mov DWORD PTR [esp+0x38],0x0 0xb42b14ec <+956>: mov ebp,DWORD PTR [ebp+0x24] 0xb42b14ef <+959>: mov DWORD PTR [esp+0x4c],ebp 0xb42b14f3 <+963>: nop 0xb42b14f4 <+964>: lea esi,[esi+eiz*1+0x0] 0xb42b14f8 <+968>: cmp DWORD PTR [esp+0x4c],0x1 0xb42b14fd <+973>: sbb eax,eax 0xb42b14ff <+975>: and eax,0xfffffffe 0xb42b1502 <+978>: add eax,0x3 0xb42b1505 <+981>: cmp DWORD PTR [esp+0x38],eax 0xb42b1509 <+985>: jae 0xb42b13c8 <_ZN9JPXStream16readTilePartDataEjjb+664> 0xb42b150f <+991>: mov edx,DWORD PTR [esp+0x40] 0xb42b1513 <+995>: mov ebp,DWORD PTR [esp+0x3c] 0xb42b1517 <+999>: add ebp,DWORD PTR [edx+0x10] 0xb42b151a <+1002>: mov ecx,DWORD PTR [ebp+0x14] 0xb42b151d <+1005>: test ecx,ecx 0xb42b151f <+1007>: mov DWORD PTR [esp+0x2c],ecx 0xb42b1523 <+1011>: je 0xb42b1565 <_ZN9JPXStream16readTilePartDataEjjb+1077> 0xb42b1525 <+1013>: mov ecx,DWORD PTR [ebp+0x10] 0xb42b1528 <+1016>: xor edi,edi 0xb42b152a <+1018>: imul esi,ecx,0x38 0xb42b152d <+1021>: mov DWORD PTR [esp+0x30],esi 0xb42b1531 <+1025>: xor esi,esi 0xb42b1533 <+1027>: nop 0xb42b1534 <+1028>: lea esi,[esi+eiz*1+0x0] 0xb42b1538 <+1032>: test ecx,ecx 0xb42b153a <+1034>: je 0xb42b1558 <_ZN9JPXStream16readTilePartDataEjjb+1064> 0xb42b153c <+1036>: mov edx,DWORD PTR [ebp+0x24] 0xb42b153f <+1039>: xor eax,eax 0xb42b1541 <+1041>: add edx,edi 0xb42b1543 <+1043>: add edx,0x20 0xb42b1546 <+1046>: xchg ax,ax 0xb42b1548 <+1048>: add eax,0x1 0xb42b154b <+1051>: mov DWORD PTR [edx],0x0 0xb42b1551 <+1057>: add edx,0x38 0xb42b1554 <+1060>: cmp eax,ecx 0xb42b1556 <+1062>: jne 0xb42b1548 <_ZN9JPXStream16readTilePartDataEjjb+1048> 0xb42b1558 <+1064>: add esi,0x1 0xb42b155b <+1067>: add edi,DWORD PTR [esp+0x30] 0xb42b155f <+1071>: cmp esi,DWORD PTR [esp+0x2c] 0xb42b1563 <+1075>: jne 0xb42b1538 <_ZN9JPXStream16readTilePartDataEjjb+1032> 0xb42b1565 <+1077>: add DWORD PTR [esp+0x38],0x1 0xb42b156a <+1082>: add DWORD PTR [esp+0x3c],0x28 0xb42b156f <+1087>: jmp 0xb42b14f8 <_ZN9JPXStream16readTilePartDataEjjb+968> 0xb42b1571 <+1089>: xor ebp,ebp 0xb42b1573 <+1091>: mov DWORD PTR [esi+0x1c],ebp 0xb42b1576 <+1094>: mov edx,DWORD PTR [esp+0xa0] 0xb42b157d <+1101>: lea ebp,[esp+0x7c] 0xb42b1581 <+1105>: mov DWORD PTR [esp+0x8],ebp 0xb42b1585 <+1109>: mov DWORD PTR [esp+0x4],0x1 0xb42b158d <+1117>: mov DWORD PTR [esp],edx 0xb42b1590 <+1120>: call 0xb42b0fd0 <_ZN9JPXStream8readBitsEiPj> 0xb42b1595 <+1125>: test al,al 0xb42b1597 <+1127>: je 0xb42b15e3 <_ZN9JPXStream16readTilePartDataEjjb+1203> 0xb42b1599 <+1129>: mov ebp,DWORD PTR [esp+0x7c] 0xb42b159d <+1133>: test ebp,ebp 0xb42b159f <+1135>: jne 0xb42b1847 <_ZN9JPXStream16readTilePartDataEjjb+1815> 0xb42b15a5 <+1141>: mov DWORD PTR [esi+0x24],0x1 0xb42b15ac <+1148>: jmp 0xb42b15c0 <_ZN9JPXStream16readTilePartDataEjjb+1168> 0xb42b15ae <+1150>: xchg ax,ax 0xb42b15b0 <+1152>: mov edx,DWORD PTR [esp+0x7c] 0xb42b15b4 <+1156>: test edx,edx 0xb42b15b6 <+1158>: je 0xb42b1813 <_ZN9JPXStream16readTilePartDataEjjb+1763> 0xb42b15bc <+1164>: add DWORD PTR [esi+0x14],0x1 0xb42b15c0 <+1168>: mov ebp,DWORD PTR [esp+0xa0] 0xb42b15c7 <+1175>: lea ecx,[esp+0x7c] 0xb42b15cb <+1179>: mov DWORD PTR [esp+0x8],ecx 0xb42b15cf <+1183>: mov DWORD PTR [esp+0x4],0x1 0xb42b15d7 <+1191>: mov DWORD PTR [esp],ebp 0xb42b15da <+1194>: call 0xb42b0fd0 <_ZN9JPXStream8readBitsEiPj> 0xb42b15df <+1199>: test al,al 0xb42b15e1 <+1201>: jne 0xb42b15b0 <_ZN9JPXStream16readTilePartDataEjjb+1152> 0xb42b15e3 <+1203>: mov esi,DWORD PTR [esp+0xa0] 0xb42b15ea <+1210>: mov eax,DWORD PTR [esi] 0xb42b15ec <+1212>: mov DWORD PTR [esp],esi 0xb42b15ef <+1215>: call DWORD PTR [eax+0x30] 0xb42b15f2 <+1218>: lea edx,[ebx-0x680b9] 0xb42b15f8 <+1224>: mov DWORD PTR [esp+0x4],edx 0xb42b15fc <+1228>: mov DWORD PTR [esp],eax 0xb42b15ff <+1231>: call 0xb42d4020 <_Z5erroriPcz> 0xb42b1604 <+1236>: add esp,0x8c 0xb42b160a <+1242>: xor eax,eax 0xb42b160c <+1244>: pop ebx 0xb42b160d <+1245>: pop esi 0xb42b160e <+1246>: pop edi 0xb42b160f <+1247>: pop ebp 0xb42b1610 <+1248>: ret 0xb42b1611 <+1249>: mov ebp,DWORD PTR [esp+0xa0] 0xb42b1618 <+1256>: lea eax,[esi+0x20] 0xb42b161b <+1259>: mov DWORD PTR [esp+0x8],eax 0xb42b161f <+1263>: mov DWORD PTR [esp+0x4],0x1 0xb42b1627 <+1271>: mov DWORD PTR [esp],ebp 0xb42b162a <+1274>: call 0xb42b0fd0 <_ZN9JPXStream8readBitsEiPj> 0xb42b162f <+1279>: test al,al 0xb42b1631 <+1281>: je 0xb42b15e3 <_ZN9JPXStream16readTilePartDataEjjb+1203> 0xb42b1633 <+1283>: mov eax,DWORD PTR [esi+0x20] 0xb42b1636 <+1286>: test eax,eax 0xb42b1638 <+1288>: je 0xb42b17d2 <_ZN9JPXStream16readTilePartDataEjjb+1698> 0xb42b163e <+1294>: cmp BYTE PTR [esi+0x10],0x0 0xb42b1642 <+1298>: jne 0xb42b1576 <_ZN9JPXStream16readTilePartDataEjjb+1094> 0xb42b1648 <+1304>: mov ecx,DWORD PTR [edi+0x18] 0xb42b164b <+1307>: test ecx,ecx 0xb42b164d <+1309>: mov DWORD PTR [esp+0x2c],ecx 0xb42b1651 <+1313>: js 0xb42b1571 <_ZN9JPXStream16readTilePartDataEjjb+1089> 0xb42b1657 <+1319>: mov eax,DWORD PTR [edi+0x20] 0xb42b165a <+1322>: xor ebp,ebp 0xb42b165c <+1324>: mov DWORD PTR [esp+0x50],0x0 0xb42b1664 <+1332>: mov DWORD PTR [esp+0x68],esi 0xb42b1668 <+1336>: movzx ecx,BYTE PTR [esp+0x2c] 0xb42b166d <+1341>: mov esi,0x1 0xb42b1672 <+1346>: mov edx,DWORD PTR [edi+0x10] 0xb42b1675 <+1349>: shl esi,cl 0xb42b1677 <+1351>: lea edx,[esi+edx*1-0x1] 0xb42b167b <+1355>: mov DWORD PTR [esp+0x54],esi 0xb42b167f <+1359>: mov esi,DWORD PTR [edi+0x14] 0xb42b1682 <+1362>: shr edx,cl 0xb42b1684 <+1364>: mov DWORD PTR [esp+0x38],edx 0xb42b1688 <+1368>: mov edx,DWORD PTR [esp+0x30] 0xb42b168c <+1372>: mov DWORD PTR [esp+0x5c],esi 0xb42b1690 <+1376>: mov esi,DWORD PTR [esp+0x50] 0xb42b1694 <+1380>: shr edx,cl 0xb42b1696 <+1382>: add esi,edx 0xb42b1698 <+1384>: mov edx,DWORD PTR [esp+0x3c] 0xb42b169c <+1388>: shr edx,cl 0xb42b169e <+1390>: imul edx,DWORD PTR [esp+0x38] 0xb42b16a3 <+1395>: add edx,esi 0xb42b16a5 <+1397>: mov esi,edx 0xb42b16a7 <+1399>: shl esi,0x3 0xb42b16aa <+1402>: mov DWORD PTR [esp+0x58],edx 0xb42b16ae <+1406>: lea edx,[eax+esi*1] 0xb42b16b1 <+1409>: movzx ecx,BYTE PTR [edx] 0xb42b16b4 <+1412>: test cl,cl 0xb42b16b6 <+1414>: mov BYTE PTR [esp+0x24],cl 0xb42b16ba <+1418>: jne 0xb42b17fe <_ZN9JPXStream16readTilePartDataEjjb+1742> 0xb42b16c0 <+1424>: mov ecx,DWORD PTR [edx+0x4] 0xb42b16c3 <+1427>: test ecx,ecx 0xb42b16c5 <+1429>: mov DWORD PTR [esp+0x4c],ecx 0xb42b16c9 <+1433>: jne 0xb42b1805 <_ZN9JPXStream16readTilePartDataEjjb+1749> 0xb42b16cf <+1439>: movzx ecx,BYTE PTR [esp+0x24] 0xb42b16d4 <+1444>: mov DWORD PTR [edx+0x4],ebp 0xb42b16d7 <+1447>: test cl,cl 0xb42b16d9 <+1449>: jne 0xb42b171e <_ZN9JPXStream16readTilePartDataEjjb+1518> 0xb42b16db <+1451>: mov edx,DWORD PTR [esp+0xa0] 0xb42b16e2 <+1458>: lea eax,[esp+0x7c] 0xb42b16e6 <+1462>: mov DWORD PTR [esp+0x8],eax 0xb42b16ea <+1466>: mov DWORD PTR [esp+0x4],0x1 0xb42b16f2 <+1474>: mov DWORD PTR [esp],edx 0xb42b16f5 <+1477>: call 0xb42b0fd0 <_ZN9JPXStream8readBitsEiPj> 0xb42b16fa <+1482>: test al,al 0xb42b16fc <+1484>: je 0xb42b15e3 <_ZN9JPXStream16readTilePartDataEjjb+1203> 0xb42b1702 <+1490>: cmp DWORD PTR [esp+0x7c],0x1 0xb42b1707 <+1495>: je 0xb42b17eb <_ZN9JPXStream16readTilePartDataEjjb+1723> 0xb42b170d <+1501>: mov eax,DWORD PTR [edi+0x20] 0xb42b1710 <+1504>: add ebp,0x1 0xb42b1713 <+1507>: movzx ecx,BYTE PTR [eax+esi*1] 0xb42b1717 <+1511>: lea edx,[eax+esi*1] 0xb42b171a <+1514>: test cl,cl 0xb42b171c <+1516>: je 0xb42b16db <_ZN9JPXStream16readTilePartDataEjjb+1451> 0xb42b171e <+1518>: mov ecx,DWORD PTR [esp+0x54] 0xb42b1722 <+1522>: mov esi,DWORD PTR [esp+0x5c] 0xb42b1726 <+1526>: mov DWORD PTR [edx+0x4],ebp 0xb42b1729 <+1529>: lea edx,[ecx+esi*1-0x1] 0xb42b172d <+1533>: movzx ecx,BYTE PTR [esp+0x2c] 0xb42b1732 <+1538>: sub DWORD PTR [esp+0x2c],0x1 0xb42b1737 <+1543>: shr edx,cl 0xb42b1739 <+1545>: imul edx,DWORD PTR [esp+0x38] 0xb42b173e <+1550>: add DWORD PTR [esp+0x50],edx 0xb42b1742 <+1554>: cmp DWORD PTR [esp+0x2c],0xffffffff 0xb42b1747 <+1559>: jne 0xb42b1668 <_ZN9JPXStream16readTilePartDataEjjb+1336> 0xb42b174d <+1565>: mov esi,DWORD PTR [esp+0x68] 0xb42b1751 <+1569>: jmp 0xb42b1573 <_ZN9JPXStream16readTilePartDataEjjb+1091> 0xb42b1756 <+1574>: xchg ax,ax 0xb42b1758 <+1576>: cmp DWORD PTR [esp+0x2c],ebp 0xb42b175c <+1580>: ja 0xb42b17b5 <_ZN9JPXStream16readTilePartDataEjjb+1669> 0xb42b175e <+1582>: mov edx,DWORD PTR [esp+0xa0] 0xb42b1765 <+1589>: lea ebp,[esp+0x7c] 0xb42b1769 <+1593>: mov DWORD PTR [esp+0x8],ebp 0xb42b176d <+1597>: mov DWORD PTR [esp+0x4],0x1 0xb42b1775 <+1605>: mov DWORD PTR [esp],edx 0xb42b1778 <+1608>: call 0xb42b0fd0 <_ZN9JPXStream8readBitsEiPj> 0xb42b177d <+1613>: test al,al 0xb42b177f <+1615>: je 0xb42b15e3 <_ZN9JPXStream16readTilePartDataEjjb+1203> 0xb42b1785 <+1621>: cmp DWORD PTR [esp+0x7c],0x1 0xb42b178a <+1626>: je 0xb42b17a7 <_ZN9JPXStream16readTilePartDataEjjb+1655> 0xb42b178c <+1628>: mov eax,DWORD PTR [edi+0x1c] 0xb42b178f <+1631>: add DWORD PTR [esp+0x2c],0x1 0xb42b1794 <+1636>: movzx edx,BYTE PTR [eax+esi*1] 0xb42b1798 <+1640>: mov ecx,DWORD PTR [esp+0x34] 0xb42b179c <+1644>: mov ebp,DWORD PTR [ecx+0x2c] 0xb42b179f <+1647>: lea ecx,[eax+esi*1] 0xb42b17a2 <+1650>: jmp 0xb42b1338 <_ZN9JPXStream16readTilePartDataEjjb+520> 0xb42b17a7 <+1655>: mov eax,DWORD PTR [edi+0x1c] 0xb42b17aa <+1658>: mov edx,0x1 0xb42b17af <+1663>: mov BYTE PTR [eax+esi*1],0x1 0xb42b17b3 <+1667>: jmp 0xb42b1798 <_ZN9JPXStream16readTilePartDataEjjb+1640> 0xb42b17b5 <+1669>: mov ebp,DWORD PTR [esp+0x2c] 0xb42b17b9 <+1673>: mov esi,DWORD PTR [esp+0x4c] 0xb42b17bd <+1677>: mov DWORD PTR [ecx+0x4],ebp 0xb42b17c0 <+1680>: mov eax,DWORD PTR [esp+0x38] 0xb42b17c4 <+1684>: shr eax,0x1f 0xb42b17c7 <+1687>: test eax,eax 0xb42b17c9 <+1689>: mov DWORD PTR [esi+0x20],eax 0xb42b17cc <+1692>: jne 0xb42b163e <_ZN9JPXStream16readTilePartDataEjjb+1294> 0xb42b17d2 <+1698>: mov edx,DWORD PTR [edi+0x10] 0xb42b17d5 <+1701>: jmp 0xb42b138a <_ZN9JPXStream16readTilePartDataEjjb+602> 0xb42b17da <+1706>: mov esi,DWORD PTR [esp+0x5c] 0xb42b17de <+1710>: mov DWORD PTR [esp+0x2c],esi 0xb42b17e2 <+1714>: mov esi,DWORD PTR [esp+0x24] 0xb42b17e6 <+1718>: jmp 0xb42b1338 <_ZN9JPXStream16readTilePartDataEjjb+520> 0xb42b17eb <+1723>: mov eax,DWORD PTR [edi+0x20] 0xb42b17ee <+1726>: mov ecx,DWORD PTR [esp+0x58] 0xb42b17f2 <+1730>: lea edx,[eax+esi*1] 0xb42b17f5 <+1733>: mov BYTE PTR [eax+ecx*8],0x1 0xb42b17f9 <+1737>: jmp 0xb42b171e <_ZN9JPXStream16readTilePartDataEjjb+1518> 0xb42b17fe <+1742>: mov ebp,DWORD PTR [edx+0x4] 0xb42b1801 <+1745>: mov DWORD PTR [esp+0x4c],ebp 0xb42b1805 <+1749>: mov ebp,DWORD PTR [esp+0x4c] 0xb42b1809 <+1753>: movzx ecx,BYTE PTR [esp+0x24] 0xb42b180e <+1758>: jmp 0xb42b16d7 <_ZN9JPXStream16readTilePartDataEjjb+1447> 0xb42b1813 <+1763>: mov edx,DWORD PTR [esi+0x24] 0xb42b1816 <+1766>: mov eax,DWORD PTR [esi+0x14] 0xb42b1819 <+1769>: shr edx,1 0xb42b181b <+1771>: je 0xb42b1824 <_ZN9JPXStream16readTilePartDataEjjb+1780> 0xb42b181d <+1773>: add eax,0x1 0xb42b1820 <+1776>: shr edx,1 0xb42b1822 <+1778>: jne 0xb42b181d <_ZN9JPXStream16readTilePartDataEjjb+1773> 0xb42b1824 <+1780>: mov edx,DWORD PTR [esp+0xa0] 0xb42b182b <+1787>: add esi,0x28 0xb42b182e <+1790>: mov DWORD PTR [esp+0x8],esi 0xb42b1832 <+1794>: mov DWORD PTR [esp+0x4],eax 0xb42b1836 <+1798>: mov DWORD PTR [esp],edx 0xb42b1839 <+1801>: call 0xb42b0fd0 <_ZN9JPXStream8readBitsEiPj> 0xb42b183e <+1806>: test al,al 0xb42b1840 <+1808>: jne 0xb42b17d2 <_ZN9JPXStream16readTilePartDataEjjb+1698> 0xb42b1842 <+1810>: jmp 0xb42b15e3 <_ZN9JPXStream16readTilePartDataEjjb+1203> 0xb42b1847 <+1815>: mov ebp,DWORD PTR [esp+0xa0] 0xb42b184e <+1822>: lea ecx,[esp+0x7c] 0xb42b1852 <+1826>: mov DWORD PTR [esp+0x8],ecx 0xb42b1856 <+1830>: mov DWORD PTR [esp+0x4],0x1 0xb42b185e <+1838>: mov DWORD PTR [esp],ebp 0xb42b1861 <+1841>: call 0xb42b0fd0 <_ZN9JPXStream8readBitsEiPj> 0xb42b1866 <+1846>: test al,al 0xb42b1868 <+1848>: je 0xb42b15e3 <_ZN9JPXStream16readTilePartDataEjjb+1203> 0xb42b186e <+1854>: mov ecx,DWORD PTR [esp+0x7c] 0xb42b1872 <+1858>: test ecx,ecx 0xb42b1874 <+1860>: jne 0xb42b1882 <_ZN9JPXStream16readTilePartDataEjjb+1874> 0xb42b1876 <+1862>: mov DWORD PTR [esi+0x24],0x2 0xb42b187d <+1869>: jmp 0xb42b15c0 <_ZN9JPXStream16readTilePartDataEjjb+1168> 0xb42b1882 <+1874>: mov edx,DWORD PTR [esp+0xa0] 0xb42b1889 <+1881>: lea eax,[esp+0x7c] 0xb42b188d <+1885>: mov DWORD PTR [esp+0x8],eax 0xb42b1891 <+1889>: mov DWORD PTR [esp+0x4],0x2 0xb42b1899 <+1897>: mov DWORD PTR [esp],edx 0xb42b189c <+1900>: call 0xb42b0fd0 <_ZN9JPXStream8readBitsEiPj> 0xb42b18a1 <+1905>: test al,al 0xb42b18a3 <+1907>: je 0xb42b15e3 <_ZN9JPXStream16readTilePartDataEjjb+1203> 0xb42b18a9 <+1913>: mov eax,DWORD PTR [esp+0x7c] 0xb42b18ad <+1917>: cmp eax,0x2 0xb42b18b0 <+1920>: ja 0xb42b18d0 <_ZN9JPXStream16readTilePartDataEjjb+1952> 0xb42b18b2 <+1922>: add eax,0x3 0xb42b18b5 <+1925>: mov DWORD PTR [esi+0x24],eax 0xb42b18b8 <+1928>: jmp 0xb42b15c0 <_ZN9JPXStream16readTilePartDataEjjb+1168> 0xb42b18bd <+1933>: mov eax,0x1 0xb42b18c2 <+1938>: jmp 0xb42b14cd <_ZN9JPXStream16readTilePartDataEjjb+925> 0xb42b18c7 <+1943>: mov esi,DWORD PTR [esp+0x4c] 0xb42b18cb <+1947>: jmp 0xb42b17c0 <_ZN9JPXStream16readTilePartDataEjjb+1680> 0xb42b18d0 <+1952>: mov ebp,DWORD PTR [esp+0xa0] 0xb42b18d7 <+1959>: lea ecx,[esp+0x7c] 0xb42b18db <+1963>: mov DWORD PTR [esp+0x8],ecx 0xb42b18df <+1967>: mov DWORD PTR [esp+0x4],0x5 0xb42b18e7 <+1975>: mov DWORD PTR [esp],ebp 0xb42b18ea <+1978>: call 0xb42b0fd0 <_ZN9JPXStream8readBitsEiPj> 0xb42b18ef <+1983>: test al,al 0xb42b18f1 <+1985>: je 0xb42b15e3 <_ZN9JPXStream16readTilePartDataEjjb+1203> 0xb42b18f7 <+1991>: mov eax,DWORD PTR [esp+0x7c] 0xb42b18fb <+1995>: cmp eax,0x1e 0xb42b18fe <+1998>: ja 0xb42b1927 <_ZN9JPXStream16readTilePartDataEjjb+2039> 0xb42b1900 <+2000>: add eax,0x6 0xb42b1903 <+2003>: mov DWORD PTR [esi+0x24],eax 0xb42b1906 <+2006>: jmp 0xb42b15c0 <_ZN9JPXStream16readTilePartDataEjjb+1168> 0xb42b190b <+2011>: mov ebp,DWORD PTR [esp+0x34] 0xb42b190f <+2015>: cmp DWORD PTR [ebp+0x0],0x4 0xb42b1913 <+2019>: ja 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1919 <+2025>: mov eax,DWORD PTR [ebp+0x0] 0xb42b191c <+2028>: mov eax,DWORD PTR [ebx+eax*4-0x68054] 0xb42b1923 <+2035>: add eax,ebx 0xb42b1925 <+2037>: jmp eax 0xb42b1927 <+2039>: mov edx,DWORD PTR [esp+0xa0] 0xb42b192e <+2046>: lea eax,[esp+0x7c] 0xb42b1932 <+2050>: mov DWORD PTR [esp+0x8],eax 0xb42b1936 <+2054>: mov DWORD PTR [esp+0x4],0x7 0xb42b193e <+2062>: mov DWORD PTR [esp],edx 0xb42b1941 <+2065>: call 0xb42b0fd0 <_ZN9JPXStream8readBitsEiPj> 0xb42b1946 <+2070>: test al,al 0xb42b1948 <+2072>: je 0xb42b15e3 <_ZN9JPXStream16readTilePartDataEjjb+1203> 0xb42b194e <+2078>: mov eax,DWORD PTR [esp+0x7c] 0xb42b1952 <+2082>: add eax,0x25 0xb42b1955 <+2085>: mov DWORD PTR [esi+0x24],eax 0xb42b1958 <+2088>: jmp 0xb42b15c0 <_ZN9JPXStream16readTilePartDataEjjb+1168> 0xb42b195d <+2093>: mov edx,DWORD PTR [esp+0x34] 0xb42b1961 <+2097>: mov eax,DWORD PTR [edx+0x2c] 0xb42b1964 <+2100>: add eax,0x1 0xb42b1967 <+2103>: cmp eax,DWORD PTR [edx+0x4] 0xb42b196a <+2106>: mov DWORD PTR [edx+0x2c],eax 0xb42b196d <+2109>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1973 <+2115>: mov eax,DWORD PTR [edx+0x1c] 0xb42b1976 <+2118>: add ecx,0x1 0xb42b1979 <+2121>: mov DWORD PTR [edx+0x2c],0x0 0xb42b1980 <+2128>: mov DWORD PTR [edx+0x24],ecx 0xb42b1983 <+2131>: add eax,0x1 0xb42b1986 <+2134>: cmp ecx,eax 0xb42b1988 <+2136>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b198e <+2142>: mov eax,DWORD PTR [edx+0x20] 0xb42b1991 <+2145>: mov esi,DWORD PTR [esp+0xa0] 0xb42b1998 <+2152>: mov DWORD PTR [edx+0x24],0x0 0xb42b199f <+2159>: add eax,0x1 0xb42b19a2 <+2162>: cmp eax,DWORD PTR [esi+0xa8] 0xb42b19a8 <+2168>: mov DWORD PTR [edx+0x20],eax 0xb42b19ab <+2171>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b19b1 <+2177>: mov DWORD PTR [edx+0x20],0x0 0xb42b19b8 <+2184>: jmp 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b19bd <+2189>: mov esi,DWORD PTR [esp+0x34] 0xb42b19c1 <+2193>: mov eax,DWORD PTR [esi+0x2c] 0xb42b19c4 <+2196>: add eax,0x1 0xb42b19c7 <+2199>: cmp eax,DWORD PTR [esi+0x4] 0xb42b19ca <+2202>: mov DWORD PTR [esi+0x2c],eax 0xb42b19cd <+2205>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b19d3 <+2211>: mov eax,DWORD PTR [esi+0x20] 0xb42b19d6 <+2214>: mov ebp,DWORD PTR [esp+0xa0] 0xb42b19dd <+2221>: mov DWORD PTR [esi+0x2c],0x0 0xb42b19e4 <+2228>: add eax,0x1 0xb42b19e7 <+2231>: cmp eax,DWORD PTR [ebp+0xa8] 0xb42b19ed <+2237>: mov DWORD PTR [esi+0x20],eax 0xb42b19f0 <+2240>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b19f6 <+2246>: mov eax,DWORD PTR [esi+0x1c] 0xb42b19f9 <+2249>: add ecx,0x1 0xb42b19fc <+2252>: mov DWORD PTR [esi+0x20],0x0 0xb42b1a03 <+2259>: mov DWORD PTR [esi+0x24],ecx 0xb42b1a06 <+2262>: add eax,0x1 0xb42b1a09 <+2265>: cmp ecx,eax 0xb42b1a0b <+2267>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1a11 <+2273>: mov DWORD PTR [esi+0x24],0x0 0xb42b1a18 <+2280>: jmp 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1a1d <+2285>: mov ebp,DWORD PTR [esp+0x34] 0xb42b1a21 <+2289>: mov edx,DWORD PTR [esp+0xa0] 0xb42b1a28 <+2296>: mov eax,DWORD PTR [ebp+0x20] 0xb42b1a2b <+2299>: add eax,0x1 0xb42b1a2e <+2302>: cmp eax,DWORD PTR [edx+0xa8] 0xb42b1a34 <+2308>: mov DWORD PTR [ebp+0x20],eax 0xb42b1a37 <+2311>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1a3d <+2317>: mov eax,DWORD PTR [ebp+0x2c] 0xb42b1a40 <+2320>: mov DWORD PTR [ebp+0x20],0x0 0xb42b1a47 <+2327>: add eax,0x1 0xb42b1a4a <+2330>: cmp eax,DWORD PTR [ebp+0x4] 0xb42b1a4d <+2333>: mov DWORD PTR [ebp+0x2c],eax 0xb42b1a50 <+2336>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1a56 <+2342>: mov eax,DWORD PTR [ebp+0x1c] 0xb42b1a59 <+2345>: add ecx,0x1 0xb42b1a5c <+2348>: mov DWORD PTR [ebp+0x2c],0x0 0xb42b1a63 <+2355>: mov DWORD PTR [ebp+0x24],ecx 0xb42b1a66 <+2358>: add eax,0x1 0xb42b1a69 <+2361>: cmp ecx,eax 0xb42b1a6b <+2363>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1a71 <+2369>: mov DWORD PTR [ebp+0x24],0x0 0xb42b1a78 <+2376>: jmp 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1a7d <+2381>: mov edx,DWORD PTR [esp+0x34] 0xb42b1a81 <+2385>: mov esi,DWORD PTR [esp+0xa0] 0xb42b1a88 <+2392>: mov eax,DWORD PTR [edx+0x20] 0xb42b1a8b <+2395>: add eax,0x1 0xb42b1a8e <+2398>: cmp eax,DWORD PTR [esi+0xa8] 0xb42b1a94 <+2404>: mov DWORD PTR [edx+0x20],eax 0xb42b1a97 <+2407>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1a9d <+2413>: mov eax,DWORD PTR [edx+0x1c] 0xb42b1aa0 <+2416>: add ecx,0x1 0xb42b1aa3 <+2419>: mov DWORD PTR [edx+0x20],0x0 0xb42b1aaa <+2426>: mov DWORD PTR [edx+0x24],ecx 0xb42b1aad <+2429>: add eax,0x1 0xb42b1ab0 <+2432>: cmp ecx,eax 0xb42b1ab2 <+2434>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1ab8 <+2440>: mov eax,DWORD PTR [edx+0x2c] 0xb42b1abb <+2443>: mov DWORD PTR [edx+0x24],0x0 0xb42b1ac2 <+2450>: add eax,0x1 0xb42b1ac5 <+2453>: cmp eax,DWORD PTR [edx+0x4] 0xb42b1ac8 <+2456>: mov DWORD PTR [edx+0x2c],eax 0xb42b1acb <+2459>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1ad1 <+2465>: mov DWORD PTR [edx+0x2c],0x0 0xb42b1ad8 <+2472>: jmp 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1add <+2477>: mov ebp,DWORD PTR [esp+0x34] 0xb42b1ae1 <+2481>: mov eax,DWORD PTR [ebp+0x2c] 0xb42b1ae4 <+2484>: add eax,0x1 0xb42b1ae7 <+2487>: cmp eax,DWORD PTR [ebp+0x4] 0xb42b1aea <+2490>: mov DWORD PTR [ebp+0x2c],eax 0xb42b1aed <+2493>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1af3 <+2499>: mov eax,DWORD PTR [ebp+0x1c] 0xb42b1af6 <+2502>: add ecx,0x1 0xb42b1af9 <+2505>: mov DWORD PTR [ebp+0x2c],0x0 0xb42b1b00 <+2512>: mov DWORD PTR [ebp+0x24],ecx 0xb42b1b03 <+2515>: add eax,0x1 0xb42b1b06 <+2518>: cmp ecx,eax 0xb42b1b08 <+2520>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1b0e <+2526>: mov eax,DWORD PTR [ebp+0x20] 0xb42b1b11 <+2529>: mov edx,DWORD PTR [esp+0xa0] 0xb42b1b18 <+2536>: mov DWORD PTR [ebp+0x24],0x0 0xb42b1b1f <+2543>: add eax,0x1 0xb42b1b22 <+2546>: cmp eax,DWORD PTR [edx+0xa8] 0xb42b1b28 <+2552>: mov DWORD PTR [ebp+0x20],eax 0xb42b1b2b <+2555>: jne 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> 0xb42b1b31 <+2561>: mov DWORD PTR [ebp+0x20],0x0 0xb42b1b38 <+2568>: jmp 0xb42b116c <_ZN9JPXStream16readTilePartDataEjjb+60> End of assembler dump. =================BUG_2================= JPXStream::inverseTransform(JPXTileComp*) received SIGSEGV Memory Corruption Vulnerability d debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". [New Thread 0xb6953b40 (LWP 20591)] [New Thread 0xb5fffb40 (LWP 20592)] [New Thread 0xb57feb40 (LWP 20593)] [New Thread 0xb4bc1b40 (LWP 20594)] [Thread 0xb57feb40 (LWP 20593) exited] [New Thread 0xb57feb40 (LWP 20598)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb57feb40 (LWP 20598)] [----------------------------------registers-----------------------------------] EAX: 0x0 EBX: 0xb43a9ff4 --> 0x1b0ba4 ECX: 0x9d EDX: 0xb3d13814 --> 0x1 ESI: 0xb60ff0d8 --> 0xb6000100 --> 0xb60000f8 --> 0xb60000f0 --> 0xb60000e8 --> 0xb60000e0 --> 0xb60000d8 --> 0xb60000d0 --> 0xb60000c8 --> 0xb60000c0 --> 0xb60000b8 --> 0xb60000b0 --> 0xb60000a8 --> 0xb60000a0 --> 0xb6000098 --> 0xb6000090 --> 0xb6000088 --> 0xb6000080 --> 0xb6000078 --> 0xb6000070 --> 0xb6000068 --> 0xb6000060 --> 0xb6000058 --> 0xb6000050 --> 0xb6000048 --> 0xb6000040 --> 0xb3c99d38 --> 0x5c4200 ('') EDI: 0x34 ('4') EBP: 0xb60fea50 --> 0xb43a72c8 --> 0xb4258390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) ESP: 0xb57fd730 --> 0xb60fea50 --> 0xb43a72c8 --> 0xb4258390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) EIP: 0xb4259e5a (<_ZN9JPXStream16inverseTransformEP11JPXTileComp+42>: mov eax,DWORD PTR [eax+0x10]) EFLAGS: 0x10292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xb4259e50 <_ZN9JPXStream16inverseTransformEP11JPXTileComp+32>: mov eax,DWORD PTR [eax+0x54] 0xb4259e53 <_ZN9JPXStream16inverseTransformEP11JPXTileComp+35>: mov DWORD PTR [esp+0x4c],eax 0xb4259e57 <_ZN9JPXStream16inverseTransformEP11JPXTileComp+39>: mov eax,DWORD PTR [eax+0x48] => 0xb4259e5a <_ZN9JPXStream16inverseTransformEP11JPXTileComp+42>: mov eax,DWORD PTR [eax+0x10] 0xb4259e5d <_ZN9JPXStream16inverseTransformEP11JPXTileComp+45>: mov DWORD PTR [esp+0x3c],eax 0xb4259e61 <_ZN9JPXStream16inverseTransformEP11JPXTileComp+49>: mov eax,DWORD PTR [esi+0x28] 0xb4259e64 <_ZN9JPXStream16inverseTransformEP11JPXTileComp+52>: mov edx,eax 0xb4259e66 <_ZN9JPXStream16inverseTransformEP11JPXTileComp+54>: shr edx,0x5 [------------------------------------stack-------------------------------------] 0000| 0xb57fd730 --> 0xb60fea50 --> 0xb43a72c8 --> 0xb4258390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) 0004| 0xb57fd734 --> 0xb60c91a8 --> 0x0 0008| 0xb57fd738 --> 0x5 0012| 0xb57fd73c --> 0xb3d4a414 --> 0xf 0016| 0xb57fd740 --> 0x0 0020| 0xb57fd744 --> 0x0 0024| 0xb57fd748 --> 0x78 ('x') 0028| 0xb57fd74c --> 0x9d [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0xb4259e5a in JPXStream::inverseTransform(JPXTileComp*) () from /usr/lib/i386-linux-gnu/libpoppler.so.19 gdb-peda$ =================BUG_3================= JPXStream.cc JPXStream::fillReadBuf() received SIGSEGV Memory Corruption Vulnerability d 0xb5fffb40 (LWP 20749) exited] [New Thread 0xb5fffb40 (LWP 20750)] [New Thread 0xb57feb40 (LWP 20755)] Error: PDF file is damaged - attempting to reconstruct xref table... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb57feb40 (LWP 20755)] [----------------------------------registers-----------------------------------] EAX: 0x21d9ead EBX: 0xb3ac5ff4 --> 0x1b0ba4 ECX: 0x0 EDX: 0x0 ESI: 0xb357a778 --> 0xb3ac32c8 --> 0xb3974390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) EDI: 0x215bf35c EBP: 0x0 ESP: 0xb57fd85c --> 0x0 EIP: 0xb397457a (<_ZN9JPXStream11fillReadBufEv+186>: add ecx,DWORD PTR [edi+0x30]) EFLAGS: 0x210207 (CARRY PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xb397456c <_ZN9JPXStream11fillReadBufEv+172>: add edi,DWORD PTR [esi+0xb4] 0xb3974572 <_ZN9JPXStream11fillReadBufEv+178>: mov DWORD PTR [esp+0xc],edx 0xb3974576 <_ZN9JPXStream11fillReadBufEv+182>: mov edx,DWORD PTR [esp+0x8] => 0xb397457a <_ZN9JPXStream11fillReadBufEv+186>: add ecx,DWORD PTR [edi+0x30] 0xb397457d <_ZN9JPXStream11fillReadBufEv+189>: mov ebp,DWORD PTR [ecx+0xc] 0xb3974580 <_ZN9JPXStream11fillReadBufEv+192>: lea eax,[ebp+edx*1-0x1] 0xb3974584 <_ZN9JPXStream11fillReadBufEv+196>: xor edx,edx 0xb3974586 <_ZN9JPXStream11fillReadBufEv+198>: div ebp [------------------------------------stack-------------------------------------] 0000| 0xb57fd85c --> 0x0 0004| 0xb57fd860 --> 0x0 0008| 0xb57fd864 --> 0x0 0012| 0xb57fd868 --> 0x1b 0016| 0xb57fd86c --> 0x9d 0020| 0xb57fd870 --> 0xb357a778 --> 0xb3ac32c8 --> 0xb3974390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) 0024| 0xb57fd874 --> 0x0 0028| 0xb57fd878 --> 0xb357a778 --> 0xb3ac32c8 --> 0xb3974390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0xb397457a in JPXStream::fillReadBuf() () from /usr/lib/i386-linux-gnu/libpoppler.so.19 gdb-peda$ =================BUG_4================= JPXStream::readCodestream(unsigned int) received SIGSEGV Memory Corruption Vulnerability d 0xb2b84b40 (LWP 21042) exited] [Thread 0xb3385b40 (LWP 21040) exited] [New Thread 0xb3385b40 (LWP 21049)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb3385b40 (LWP 21049)] [----------------------------------registers-----------------------------------] EAX: 0x0 EBX: 0xb5f3dff4 --> 0x1b0ba4 ECX: 0xb5a82c40 --> 0xb5f3b2c8 --> 0xb5dec390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) EDX: 0xb5a82c40 --> 0xb5f3b2c8 --> 0xb5dec390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) ESI: 0x52 ('R') EDI: 0xb5a22240 --> 0x7 EBP: 0xb5a82c40 --> 0xb5f3b2c8 --> 0xb5dec390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) ESP: 0xb33847b0 --> 0xb5a82c40 --> 0xb5f3b2c8 --> 0xb5dec390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) EIP: 0xb5df12e3 (<_ZN9JPXStream14readCodestreamEj+275>: mov eax,DWORD PTR [eax+0x30]) EFLAGS: 0x10283 (CARRY parity adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xb5df12d8 <_ZN9JPXStream14readCodestreamEj+264>: ret 0xb5df12d9 <_ZN9JPXStream14readCodestreamEj+265>: mov edx,DWORD PTR [esp+0x24] 0xb5df12dd <_ZN9JPXStream14readCodestreamEj+269>: mov eax,DWORD PTR [edx+0xb4] => 0xb5df12e3 <_ZN9JPXStream14readCodestreamEj+275>: mov eax,DWORD PTR [eax+0x30] 0xb5df12e6 <_ZN9JPXStream14readCodestreamEj+278>: mov DWORD PTR [esp],edx 0xb5df12e9 <_ZN9JPXStream14readCodestreamEj+281>: add eax,0x10 0xb5df12ec <_ZN9JPXStream14readCodestreamEj+284>: mov DWORD PTR [esp+0x4],eax 0xb5df12f0 <_ZN9JPXStream14readCodestreamEj+288>: call 0xb5dee4e0 <_ZN9JPXStream9readUByteEPj> [------------------------------------stack-------------------------------------] 0000| 0xb33847b0 --> 0xb5a82c40 --> 0xb5f3b2c8 --> 0xb5dec390 (<_ZN9JPXStreamD2Ev>: sub esp,0x1c) 0004| 0xb33847b4 --> 0xb33847f8 --> 0x52 ('R') 0008| 0xb33847b8 --> 0xb3384804 --> 0xc ('\x0c') 0012| 0xb33847bc --> 0xb5dee6ce (<_ZN9JPXStream9readULongEPj+94>: mov edx,DWORD PTR [esp+0x18]) 0016| 0xb33847c0 --> 0xb5a82b00 --> 0xb5f3cb48 --> 0xb5e745b0 (<_ZN10FileStreamD2Ev>: sub esp,0x1c) 0020| 0xb33847c4 --> 0x7 0024| 0xb33847c8 --> 0x1 0028| 0xb33847cc --> 0xb5dee8e7 (<_ZN9JPXStream16readColorSpecBoxEj+199>: test al,al) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0xb5df12e3 in JPXStream::readCodestream(unsigned int) () from /usr/lib/i386-linux-gnu/libpoppler.so.19 gdb-peda$
Created attachment 113183 [details] bug1_testcase
Created attachment 113184 [details] bug2_testcase
Created attachment 113185 [details] bug3_testcase
Created attachment 113186 [details] bug4_testcase
Please try against poppler master and not against something that is ages old and report back.
no complaint here in latest version
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.