Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Use-of-uninitialized-value in CJBig2_SDDProc::decode_Huffman #129

Open
GoogleCodeExporter opened this issue Apr 10, 2015 · 1 comment
Open

Security: Use-of-uninitialized-value in CJBig2_SDDProc::decode_Huffman #129

GoogleCodeExporter opened this issue Apr 10, 2015 · 1 comment
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

VULNERABILITY DETAILS
Field "CJBig2_SDDProc::SDNUMEXSYMS" of class "CJBig2_SDDProc" is potentially 
used when uninitialized. The attached bug report from Clang SA points to the 
undefined access. Full stack trace is:

CJBig2_SDDProc::decode_Huffman(CJBig2_BitStream *, JBig2ArithCtx *, 
JBig2ArithCtx *, IFX_Pause*)
CJBig2_Context::parseSymbolDict(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::ProcessiveParseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::parseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::decode_SquentialOrgnazation(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::decode_EmbedOrgnazation(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::decodeFile(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::decode_RandomOrgnazation(IFX_Pause*)
CJBig2_Context::decode_RandomOrgnazation_FirstPage(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::decodeFile(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CJBig2_Context::getFirstPage(unsigned char*, int, int, int, IFX_Pause*)
CJBig2_Context::getFirstPage(CJBig2_Image**, IFX_Pause*)


VERSION
Pdfium Version: Warning flagged on commit `b7cb36a` ``Merge to XFA.."
Operating System: NA
Label: Cr-Internals-Plugins-PDF

FIX
Initialize SDNUMEXSYMS in constructor of CJBig2_SDDProc.

REPRODUCTION CASE
Found via static analysis. So, no dynamic stack trace available.

Original issue reported on code.google.com by [email protected] on 3 Mar 2015 at 9:35

Attachments:
@GoogleCodeExporter
Copy link
Author 

Update: Figured that global stack in report was buggy. Here is the correct call 
stack leading to the bug. Concerned lib is libfxcodec.

CJBig2_SDDProc::decode_Huffman(CJBig2_BitStream*, JBig2ArithCtx*, 
JBig2ArithCtx*, IFX_Pause*)
CJBig2_Context::parseSymbolDict(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::ProcessiveParseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::parseSegmentData(CJBig2_Segment*, IFX_Pause*)
CJBig2_Context::decode_SquentialOrgnazation(IFX_Pause*)
CJBig2_Context::decodeFile(IFX_Pause*)
CJBig2_Context::Continue(IFX_Pause*)
CCodec_Jbig2Module::ContinueDecode(void*, IFX_Pause*)

Original comment by [email protected] on 6 Mar 2015 at 12:36

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter