Bug#869524: libdjvulibre21: null pointer dereference in DJVU::filter_bv

Sun, 23 Jul 2017 15:21:24 -0700 

Package: libdjvulibre21
Version: 3.5.27.1-7

DjVuLibre crashes while trying to decode the attached file:

  $ ddjvu null-deref.djvu
  Segmentation fault

GDB says it's a null pointer derefence:

  Thread 3 "ddjvu" received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0xf75c2b40 (LWP 9235)]
  0xf7f2e906 in DJVU::filter_bv (scale=16, rowsize=12352, h=1, w=12336, p=0x0) 
at IW44Image.cpp:309
  309                       *q -= (((a<<3)+a-b+16)>>5);
  (gdb) print q
  $1 = (short *) 0x0
  (gdb) bt
  #0  0xf7f2e906 in DJVU::filter_bv (scale=16, rowsize=12352, h=1, w=12336, 
p=0x0) at IW44Image.cpp:309
  #1  DJVU::IW44Image::Transform::Decode::backward (p=p@entry=0x0, w=12336, 
h=0, rowsize=12352, begin=begin@entry=32, end=end@entry=1) at IW44Image.cpp:1883
  #2  0xf7f2ef66 in DJVU::IW44Image::Map::image (this=<optimized out>, img8=<optimized out>, 
img8@entry=0x0, rowsize=<optimized out>, rowsize@entry=37008, pixsep=<optimized out>, 
pixsep@entry=3, fast=<optimized out>, fast@entry=0) at IW44Image.cpp:714
  #3  0xf7f30353 in DJVU::IWPixmap::get_pixmap (this=0xf6c00b90) at 
IW44Image.cpp:1656
  #4  0xf7ea721e in DJVU::DjVuFile::decode_chunk (this=this@entry=0x565d05c0, 
id=..., gbs=..., djvi=false, djvu=true, iw44=false) at DjVuFile.cpp:984
  #5  0xf7ea951d in DJVU::DjVuFile::decode (this=<optimized out>, 
this@entry=0x565d05c0, gbs=...) at DjVuFile.cpp:1255
  #6  0xf7ea9cf8 in DJVU::DjVuFile::decode_func (this=this@entry=0x565d05c0) at 
DjVuFile.cpp:484
  #7  0xf7eaa57e in DJVU::DjVuFile::static_decode_func (cl_data=0x565d05c0) at 
DjVuFile.cpp:464
  #8  0xf7f0ff7d in DJVU::GThread::start (arg=0x565c91f8) at GThreads.cpp:392
  #9  0xf7d7327a in start_thread (arg=0xf75c2b40) at pthread_create.c:333
  #10 0xf7aafad6 in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:110

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/


-- System Information:
Architecture: i386 (x86_64)

Versions of packages libdjvulibre21 depends on:
ii  libc6              2.24-12
ii  libdjvulibre-text  3.5.27.1-7
ii  libgcc1            1:7.1.0-10
ii  libjpeg62-turbo    1:1.5.1-2
ii  libstdc++6         7.1.0-10

--
Jakub Wilk

Attachment: null-deref.djvu.gz
Description: application/gzip

Reply via email to