Attachment 194334 Details for Bug 272314 – A proposed patch to fix the NULL-pointer dereferencing.

[patch] A proposed patch to fix the NULL-pointer dereferencing.

ghostscript-8.64.jbig2fix.patch (text/plain), 6.61 KB, created by Mansour Moufid on 2009-06-12 01:21:11 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Mansour Moufid

Created: 2009-06-12 01:21:11 UTC

Size: 6.61 KB

patch

obsolete

>diff -Nurp ghostscript-8.64/jbig2dec/jbig2_generic.c ghostscript-8.64.new/jbig2dec/jbig2_generic.c
>--- ghostscript-8.64/jbig2dec/jbig2_generic.c	2007-10-25 18:14:22.000000000 -0400
>+++ ghostscript-8.64.new/jbig2dec/jbig2_generic.c	2009-06-11 21:01:53.529809021 -0400
>@@ -599,6 +599,9 @@ jbig2_immediate_generic_region(Jbig2Ctx 
>   memcpy (params.gbat, gbat, gbat_bytes);
> 
>   image = jbig2_image_new(ctx, rsi.width, rsi.height);
>+  if (image == NULL)
>+    return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
>+             "invalid image");
>   jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number,
>     "allocated %d x %d image buffer for region decode results",
>         rsi.width, rsi.height);
>diff -Nurp ghostscript-8.64/jbig2dec/jbig2.h ghostscript-8.64.new/jbig2dec/jbig2.h
>--- ghostscript-8.64/jbig2dec/jbig2.h	2007-06-05 18:23:38.000000000 -0400
>+++ ghostscript-8.64.new/jbig2dec/jbig2.h	2009-06-11 21:01:53.429837021 -0400
>@@ -59,7 +59,7 @@ struct _Jbig2Image {
> 	int		refcount;
> };
> 
>-Jbig2Image*     jbig2_image_new(Jbig2Ctx *ctx, int width, int height);
>+Jbig2Image*     jbig2_image_new(Jbig2Ctx *ctx, unsigned long width, unsigned long height);
> Jbig2Image*	jbig2_image_clone(Jbig2Ctx *ctx, Jbig2Image *image);
> void		jbig2_image_release(Jbig2Ctx *ctx, Jbig2Image *image);
> void            jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image);
>diff -Nurp ghostscript-8.64/jbig2dec/jbig2_image.c ghostscript-8.64.new/jbig2dec/jbig2_image.c
>--- ghostscript-8.64/jbig2dec/jbig2_image.c	2007-06-05 18:23:38.000000000 -0400
>+++ ghostscript-8.64.new/jbig2dec/jbig2_image.c	2009-06-11 21:01:53.577840934 -0400
>@@ -24,6 +24,7 @@
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h> /* memcpy() */
>+#include <limits.h> /* INT_MAX */
> 
> #include "jbig2.h"
> #include "jbig2_priv.h"
>@@ -31,10 +32,17 @@
> 
> 
> /* allocate a Jbig2Image structure and its associated bitmap */
>-Jbig2Image* jbig2_image_new(Jbig2Ctx *ctx, int width, int height)
>+Jbig2Image* jbig2_image_new(Jbig2Ctx *ctx, unsigned long width, unsigned long height)
> {
> 	Jbig2Image	*image;
>-	int		stride;
>+	unsigned long	stride;
>+	
>+	if (width == 0 || height == 0 || width > INT_MAX || height > INT_MAX) {
>+		jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
>+		    "invalid image dimensions! [%lux%lu]\n", width, height);
>+		jbig2_free(ctx->allocator, image);
>+		return NULL;
>+	}
> 	
> 	image = (Jbig2Image *)jbig2_alloc(ctx->allocator, sizeof(*image));
> 	if (image == NULL) {
>@@ -47,14 +55,14 @@ Jbig2Image* jbig2_image_new(Jbig2Ctx *ct
> 	image->data = (uint8_t *)jbig2_alloc(ctx->allocator, stride*height);
> 	if (image->data == NULL) {
>                 jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
>-                    "could not allocate image data buffer! [%d bytes]\n", stride*height);
>+                    "could not allocate image data buffer! [%lu bytes]\n", stride*height);
> 		jbig2_free(ctx->allocator, image);
> 		return NULL;
> 	}
> 
>-	image->width = width;
>-	image->height = height;
>-	image->stride = stride;
>+	image->width = (int) width;
>+	image->height = (int) height;
>+	image->stride = (int) stride;
> 	image->refcount = 1;
> 
> 	return image;
>diff -Nurp ghostscript-8.64/jbig2dec/jbig2_refinement.c ghostscript-8.64.new/jbig2dec/jbig2_refinement.c
>--- ghostscript-8.64/jbig2dec/jbig2_refinement.c	2007-10-25 18:14:22.000000000 -0400
>+++ ghostscript-8.64.new/jbig2dec/jbig2_refinement.c	2009-06-11 21:01:53.689835967 -0400
>@@ -407,7 +407,7 @@ jbig2_refinement_region(Jbig2Ctx *ctx, J
>     image = jbig2_image_new(ctx, rsi.width, rsi.height);
>     if (image == NULL)
>       return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
>-               "unable to allocate image storage");
>+                         "unable to allocate image storage");
>     jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number,
>       "allocated %d x %d image buffer for region decode results",
>           rsi.width, rsi.height);
>diff -Nurp ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c ghostscript-8.64.new/jbig2dec/jbig2_symbol_dict.c
>--- ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c	2007-12-11 03:29:58.000000000 -0500
>+++ ghostscript-8.64.new/jbig2dec/jbig2_symbol_dict.c	2009-06-11 21:01:53.710811788 -0400
>@@ -370,6 +370,12 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
> 		  memcpy(region_params.gbat, params->sdat, sdat_bytes);
> 
> 		  image = jbig2_image_new(ctx, SYMWIDTH, HCHEIGHT);
>+		  if (image == NULL) {
>+		      jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
>+		                  "unable to allocate image storage");
>+		      /* todo: memory cleanup */
>+		      return NULL;
>+		  }
> 
> 		  code = jbig2_decode_generic_region(ctx, segment, &region_params,
> 						     as, image, GB_stats);
>@@ -520,6 +526,12 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
> 			ID, RDX, RDY);
> 
> 		      image = jbig2_image_new(ctx, SYMWIDTH, HCHEIGHT);
>+		      if (image == NULL) {
>+			  code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
>+			   "Out of memory creating symbol image");
>+		          /* todo: memory cleanup */
>+		          return NULL;
>+		      }
> 
> 		      /* Table 18 */
> 		      rparams.GRTEMPLATE = params->SDRTEMPLATE;
>@@ -638,6 +650,13 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
> 	for (j = HCFIRSTSYM; j < NSYMSDECODED; j++) {
> 	  Jbig2Image *glyph;
> 	  glyph = jbig2_image_new(ctx, SDNEWSYMWIDTHS[j], HCHEIGHT);
>+	  if (glyph == NULL) {
>+	    jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
>+	                     "unable to allocate image storage");
>+	    /* todo: memory cleanup */
>+	    return NULL;
>+	  }
>+
> 	  jbig2_image_compose(ctx, glyph, image, 
> 		-x, 0, JBIG2_COMPOSE_REPLACE);
> 	  x += SDNEWSYMWIDTHS[j];
>diff -Nurp ghostscript-8.64/jbig2dec/jbig2_text.c ghostscript-8.64.new/jbig2dec/jbig2_text.c
>--- ghostscript-8.64/jbig2dec/jbig2_text.c	2008-05-09 10:00:44.000000000 -0400
>+++ ghostscript-8.64.new/jbig2dec/jbig2_text.c	2009-06-11 21:01:53.729836629 -0400
>@@ -315,6 +315,12 @@ jbig2_decode_text_region(Jbig2Ctx *ctx, 
> 		IBO = IB;
> 		image = jbig2_image_new(ctx, IBO->width + RDW,
> 					     IBO->height + RDH);
>+		if (image == NULL) {
>+		  jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
>+		              "unable to allocate image storage");
>+		  /* todo: memory cleanup */
>+		  return -1;
>+		}
> 
> 		/* Table 12 */
> 		rparams.GRTEMPLATE = params->SBRTEMPLATE;
>@@ -676,6 +682,12 @@ jbig2_parse_text_region(Jbig2Ctx *ctx, J
>     }
> 
>     image = jbig2_image_new(ctx, region_info.width, region_info.height);
>+    if (image == NULL) {
>+        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
>+                    "unable to allocate image storage");
>+        /* todo: memory cleanup */
>+        return -1;
>+    }
> 
>     ws = jbig2_word_stream_buf_new(ctx, segment_data + offset, segment->data_length - offset);
>     if (!params.SBHUFF) {

Actions: View | Diff

Attachments on bug 272314: 194334 | 212839