Hi, Among 16 pdftoppm crashes that I could reproduce, 10 crashes occur in libopenjpeg. The first invocation of libopenjpeg function made pdftoppm crashed, so pdftoppm cannot stand with such crash by checking errors returned from libopenjpeg.
SIGSEGV.PC.0x29b.CODE.1.ADDR.0x29b.INSTR.[NOT_MMAPED].pdf SIGSEGV.PC.0x7ffff6ac3a04.CODE.1.ADDR.0x100643ad5.INSTR.cmp_word_[rcx],_0x0.pdf SIGSEGV.PC.0x7ffff7a6872c.CODE.1.ADDR.0x37006cc7f1.INSTR.mov_rax,_[rdi].pdf SIGSEGV.PC.0x7ffff7a69c00.CODE.1.ADDR.0x13fb684a78.INSTR.mov_rbx,_[rax+0x48].pdf SIGSEGV.PC.0x7ffff7a69cac.CODE.1.ADDR.0x1006ae195.INSTR.mov_eax,_[rbx].pdf SIGSEGV.PC.0x7ffff7a69f4c.CODE.1.ADDR.0x1006adff7.INSTR.mov_dword_[rsi+rdx*8+0x20],_0x0.pdf SIGSEGV.PC.0x7ffff7a6bcdf.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf SIGSEGV.PC.0x7ffff7a6bfa0.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf SIGSEGV.PC.0x7ffff7ad2f07.CODE.1.ADDR.0x100a1aae5.INSTR.mov_rax,_[rdi].pdf SIGSEGV.PC.0x7ffff7ad2f41.CODE.1.ADDR.0x1b000800a1.INSTR.mov_eax,_[rdi+0x20].pdf For detail, please check my valgrind log files on: http://home.hiroshima-u.ac.jp/~mpsuzuki/test-def_mps20101022b.tar.rz or http://home.hiroshima-u.ac.jp/~mpsuzuki/test-debug_mps20101023a.tar.rz Checking the source of libopenjpeg, I found that some broken JPEG2000 files can cause invalid pointer dereference issue. Following patch for libopenjpeg-1.3 can fix it. I will try to contact libopenjpeg developers. Regards, mpsuzuki diff -Burb openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c openjpeg-1.3+dfsg.mps/libopenjpeg/j2k.c --- openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c 2008-03-10 17:50:35.000000000 +0900 +++ openjpeg-1.3+dfsg.mps/libopenjpeg/j2k.c 2010-10-23 02:14:03.637256788 +0900 @@ -1807,8 +1807,13 @@ if (cstr_info) memset(cstr_info, 0, sizeof(opj_codestream_info_t)); - /* create an empty image */ + /* create an empty image: opj_image_create0() initializes nothing, */ + /* clear comps is essential to free this image safely */ image = opj_image_create0(); + if (!image) + return NULL; + image->comps = 0; + j2k->image = image; j2k->state = J2K_STATE_MHSOC; @@ -1910,8 +1915,13 @@ j2k->cio = cio; - /* create an empty image */ + /* create an empty image: opj_image_create0() initializes nothing, */ + /* clear comps is essential to free this image safely */ image = opj_image_create0(); + if (!image) + return NULL; + image->comps = 0; + j2k->image = image; j2k->state = J2K_STATE_MHSOC; diff -Burb openjpeg-1.3+dfsg.orig/libopenjpeg/jp2.c openjpeg-1.3+dfsg.mps/libopenjpeg/jp2.c --- openjpeg-1.3+dfsg.orig/libopenjpeg/jp2.c 2008-03-10 17:50:35.000000000 +0900 +++ openjpeg-1.3+dfsg.mps/libopenjpeg/jp2.c 2010-10-23 01:49:19.830002886 +0900 @@ -561,6 +561,7 @@ image = j2k_decode(jp2->j2k, cio, cstr_info); if(!image) { opj_event_msg(cinfo, EVT_ERROR, "Failed to decode J2K image\n"); + return NULL; } /* Set Image Color Space */ _______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
