Package: libdjvulibre21
Version: 3.5.25.4-4+b1
Usertags: afl
ddjvu crashes on the attached file, which contains an invalid BGjp
chunk:
$ ddjvu badjpeg.djvu
Not a JPEG file: starts with 0x6d 0x6f
Segmentation fault
GDB says it's a null pointer dereference:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xf738fb40 (LWP 3895)]
0xf7d9792a in DJVU::DjVuFile::decode_chunk (this=0x80828f0, id=..., gbs=...,
djvi=false, djvu=true, iw44=false) at DjVuFile.cpp:1029
1029 get_dpi(bgpm->columns(), bgpm->rows()));
(gdb) print bgpm
$1 = {<DJVU::GPBase> = {ptr = 0x0}, <No data fields>}
(gdb) bt
#0 0xf7d9792a in DJVU::DjVuFile::decode_chunk (this=0x80828f0, id=...,
gbs=..., djvi=false, djvu=true, iw44=false) at DjVuFile.cpp:1029
#1 0xf7d9b02e in DJVU::DjVuFile::decode (this=0x80828f0, gbs=...) at
DjVuFile.cpp:1264
#2 0xf7d9c8c6 in DJVU::DjVuFile::decode_func (this=0x80828f0) at
DjVuFile.cpp:484
#3 0xf7d9dce2 in DJVU::DjVuFile::static_decode_func (cl_data=0x80828f0) at
DjVuFile.cpp:464
#4 0xf7bb4985 in DJVU::GThread::start (arg=0x8081668) at GThreads.cpp:416
#5 0xf7aa8efb in start_thread (arg=0xf738fb40) at pthread_create.c:309
#6 0xf780ffbe in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129
This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libdjvulibre21 depends on:
ii libc6 2.19-14
ii libdjvulibre-text 3.5.26-1
ii libgcc1 1:4.9.2-10
ii libjpeg62-turbo 1:1.3.1-11
ii libstdc++6 4.9.2-10
ii multiarch-support 2.19-14
--
Jakub Wilk
