Issue 24134 in oss-fuzz: Heap-buffer-overflow in rasteropGeneralLow()

* From dewarp_fuzzer. Check intermediate images; simplify pixFillMapHoles(). This may have fixed the issue.
DanBloomberg · Jul 15, 2020 · c0fb788 · c0fb788
1 parent 9075f41
commit c0fb788
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 24 deletions.
diff --git a/prog/adaptmap_reg.c b/prog/adaptmap_reg.c
@@ -57,7 +57,7 @@ int main(int    argc,
 l_int32       w, h;
 PIX          *pixs, *pixg, *pixim, *pixgm, *pixmi, *pix1, *pix2;
 PIX          *pixmr, *pixmg, *pixmb, *pixmri, *pixmgi, *pixmbi;
-PIXA         *pixa, *pixa2;
+PIXA         *pixa;
 L_REGPARAMS  *rp;
 
     if (regTestSetup(argc, argv, &rp))
@@ -159,33 +159,49 @@ L_REGPARAMS  *rp;
     pixaAddPix(pixa, pix2, L_INSERT);
     pixDestroy(&pixim);
 
+        /* Display results */
+    pix1 = pixaDisplayTiledAndScaled(pixa, 32, 400, 4, 0, 20, 2);
+    pixWrite("/tmp/lept/adapt/results.jpg", pix1, IFF_JFIF_JPEG);
+    pixDisplayWithTitle(pix1, 50, 0, NULL, rp->display);
+    pixDestroy(&pix1);
+    pixaDestroy(&pixa);
+
         /* Check pixFillMapHoles() */
-    pixa2 = pixaCreate(3);
+    pixa = pixaCreate(3);
     pix1 = pixRead("weasel8.png");  /* use this as the map */
     pixGammaTRC(pix1, pix1, 1.0, 0, 270);  /* darken white pixels */
-    pixaAddPix(pixa2, pix1, L_COPY);
+    pixaAddPix(pixa, pix1, L_COPY);
     pixGetDimensions(pix1, &w, &h, NULL);
     pixRasterop(pix1, 0, 0, 5, h, PIX_SET, NULL, 0, 0);  /* add white holes */
     pixRasterop(pix1, 20, 0, 2, h, PIX_SET, NULL, 0, 0);
     pixRasterop(pix1, 40, 0, 3, h, PIX_SET, NULL, 0, 0);
     pixRasterop(pix1, 0, 0, w, 3, PIX_SET, NULL, 0, 0);
     pixRasterop(pix1, 0, 15, w, 3, PIX_SET, NULL, 0, 0);
     pixRasterop(pix1, 0, 35, w, 2, PIX_SET, NULL, 0, 0);
-    pixaAddPix(pixa2, pix1, L_COPY);
+    pixaAddPix(pixa, pix1, L_COPY);
     pixFillMapHoles(pix1, w, h, L_FILL_WHITE);
-    pixaAddPix(pixa2, pix1, L_INSERT);
-    pix2 = pixaDisplayTiledInColumns(pixa2, 3, 1.0, 20, 1);
+    pixaAddPix(pixa, pix1, L_INSERT);
+    pix2 = pixaDisplayTiledInColumns(pixa, 3, 1.0, 20, 1);
     regTestWritePixAndCheck(rp, pix2, IFF_PNG);  /* 14 */
     pixDisplayWithTitle(pix2, 50, 850, NULL, rp->display);
-    pixaDestroy(&pixa2);
+    pixaDestroy(&pixa);
     pixDestroy(&pix2);
 
-        /* Display results */
-    pix1 = pixaDisplayTiledAndScaled(pixa, 32, 400, 4, 0, 20, 2);
-    pixWrite("/tmp/lept/adapt/results.jpg", pix1, IFF_JFIF_JPEG);
-    pixDisplayWithTitle(pix1, 50, 0, NULL, rp->display);
+        /* An even simpler check of pixFillMapHoles() */
+    pixa = pixaCreate(2);
+    pix1 = pixCreate(3, 3, 8);
+    pixSetPixel(pix1, 1, 0, 128);
+    pix2 = pixExpandReplicate(pix1, 25);
+    pixaAddPix(pixa, pix2, L_INSERT);
+    pixFillMapHoles(pix1, 3, 3, L_FILL_BLACK);
+    pix2 = pixExpandReplicate(pix1, 25);
+    pixaAddPix(pixa, pix2, L_INSERT);
     pixDestroy(&pix1);
+    pix1 = pixaDisplayTiledInColumns(pixa, 2, 1.0, 20, 0);
+    regTestWritePixAndCheck(rp, pix1, IFF_PNG);  /* 15 */
+    pixDisplayWithTitle(pix1, 50, 1000, NULL, rp->display);
     pixaDestroy(&pixa);
+    pixDestroy(&pix1);
 
     return regTestCleanup(rp);
 }

diff --git a/src/adaptmap.c b/src/adaptmap.c
@@ -906,6 +906,8 @@ PIX       *pixd, *piximi, *pixb, *pixf, *pixims;
     pixb = pixThresholdToBinary(pixs, thresh);
     pixf = pixMorphSequence(pixb, "d7.1 + d1.7", 0);
     pixDestroy(&pixb);
+    if (!pixf)
+        return ERROR_INT("pixf not made", procName, 1);
 
 
     /* ------------- Set up the output map pixd --------------- */
@@ -1542,10 +1544,7 @@ NUMA     *na;  /* indicates if there is any data in the column */
         }
     }
     if (w > nx) {  /* replicate the last column */
-        for (i = 0; i < h; i++) {
-            pixGetPixel(pix, w - 2, i, &val);
-            pixSetPixel(pix, w - 1, i, val);
-        }
+        pixRasterop(pix, w - 1, 0, 1, h, PIX_SRC, pix, w - 2, 0);
     }
 
     numaDestroy(&na);

diff --git a/src/dewarp4.c b/src/dewarp4.c
@@ -173,7 +173,7 @@ dewarpSinglePageInit(PIX         *pixs,
                      PIX        **ppixb,
                      L_DEWARPA  **pdewa)
 {
-PIX  *pix1;
+PIX  *pix1, *pix2;
 
     PROCNAME("dewarpSinglePageInit");
 
@@ -184,21 +184,25 @@ PIX  *pix1;
     if (!pixs)
         return ERROR_INT("pixs not defined", procName, 1);
 
-    *pdewa = dewarpaCreate(1, 0, 1, 0, -1);
-    dewarpaUseBothArrays(*pdewa, useboth);
-    dewarpaSetCheckColumns(*pdewa, check_columns);
-
          /* Generate a binary image, if necessary */
     if (pixGetDepth(pixs) > 1) {
-        pix1 = pixConvertTo8(pixs, 0);
+        if ((pix1 = pixConvertTo8(pixs, 0)) == NULL)
+            return ERROR_INT("pix1 not made", procName, 1);
         if (adaptive)
-            *ppixb = pixAdaptThresholdToBinary(pix1, NULL, 1.0);
+            pix2 = pixAdaptThresholdToBinary(pix1, NULL, 1.0);
         else
-            *ppixb = pixThresholdToBinary(pix1, thresh);
+            pix2 = pixThresholdToBinary(pix1, thresh);
         pixDestroy(&pix1);
+        if (!pix2)
+            return ERROR_INT("pix2 not made", procName, 1);
+        *ppixb = pix2;
     } else {
         *ppixb = pixClone(pixs);
     }
+
+    *pdewa = dewarpaCreate(1, 0, 1, 0, -1);
+    dewarpaUseBothArrays(*pdewa, useboth);
+    dewarpaSetCheckColumns(*pdewa, check_columns);
     return 0;
 }
 

diff --git a/src/grayquant.c b/src/grayquant.c
@@ -781,7 +781,8 @@ PIX  *pix1, *pixd;
     if (!pixs || pixGetDepth(pixs) != 8)
         return (PIX *)ERROR_PTR("pixs undefined or not 8 bpp", procName, NULL);
 
-    pix1 = pixBackgroundNormSimple(pixs, pixm, NULL);
+    if ((pix1 = pixBackgroundNormSimple(pixs, pixm, NULL)) == NULL)
+        return (PIX *)ERROR_PTR("pix1 not made", procName, NULL);
     pixGammaTRC(pix1, pix1, gamma, blackval, whiteval);
     pixd = pixThresholdToBinary(pix1, thresh);
     pixDestroy(&pix1);