null pointer dereference in JPX decoder

[GoogleCodeExporter]

What steps will reproduce the problem?

$ ulimit -v 100000
$ out/Debug/pdfium_test nullptr.pdf
Rendering PDF file nullptr.pdf.
Non-linearized path...
Segmentation fault (core dumped)

What version of the product are you using? On what operating system?

$ git rev-parse HEAD
e09556b4e9049a6e46789d31da5eb0c203dd8580
$ uname
Linux
$ uname -m
x86_64

Please provide any additional information below.

Found with American fuzzy lop.

GDB says it's a null pointer dereference:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000004c3e55 in sycc_to_rgb (offset=<optimized out>, upb=255, y=128, 
cb=0, cr=<optimized out>, out_r=0x0, out_g=<optimized out>, out_b=<optimized 
out>) at core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:143
143         } *out_r = r;
(gdb) print out_r
$1 = (int *) 0x0
(gdb) bt
#0  0x00000000004c3e55 in sycc_to_rgb (offset=<optimized out>, upb=255, y=128, 
cb=0, cr=<optimized out>, out_r=0x0, out_g=<optimized out>, out_b=<optimized 
out>) at core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:143
#1  sycc444_to_rgb (img=<optimized out>) at 
core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:175
#2  color_sycc_to_rgb (img=0x458d090) at 
core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:346
#3  0x00000000004c642d in CJPX_Decoder::Init (this=<optimized out>, 
src_data=<optimized out>, src_size=<optimized out>) at 
core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:688
#4  0x00000000004c759a in CCodec_JpxModule::CreateDecoder (this=<optimized 
out>, src_buf=0x80 <error: Cannot access memory at address 0x80>, src_size=0, 
useColorSpace=1) at core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:806
#5  0x00000000006fcaae in CPDF_DIBSource::LoadJpxBitmap (this=0x455f040) at 
core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:638
#6  0x00000000006fa35f in CPDF_DIBSource::CreateDecoder (this=0x455f040) at 
core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:598
#7  0x00000000006f847e in CPDF_DIBSource::StartLoadDIBSource (this=0x455f040, 
pDoc=<optimized out>, pStream=<optimized out>, bHasMask=<optimized out>, 
pFormResources=<optimized out>, pPageResources=<optimized out>, 
bStdCS=<optimized out>, GroupFamily=<optimized out>, bLoadMask=<optimized out>) 
at core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:329
#8  0x00000000006ef5ac in StartGetCachedBitmap (this=0x455efe0, 
pFormResources=<optimized out>, pPageResources=<optimized out>, bStdCS=0, 
GroupFamily=<optimized out>, bLoadMask=0, pRenderStatus=<optimized out>, 
downsampleWidth=<optimized out>, downsampleHeight=<optimized out>) at 
core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:293
#9  CPDF_PageRenderCache::StartGetCachedBitmap (this=0x455ca60, 
pStream=<optimized out>, bStdCS=<optimized out>, GroupFamily=<optimized out>, 
bLoadMask=<optimized out>, pRenderStatus=<optimized out>, 
downsampleWidth=<optimized out>, downsampleHeight=<optimized out>) at 
core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131
#10 0x000000000070197e in CPDF_ProgressiveImageLoaderHandle::Start 
(this=0x455efb0, pImageLoader=<optimized out>, pImage=<optimized out>, 
pCache=0x455ca60, bStdCS=<optimized out>, GroupFamily=<optimized out>, 
bLoadMask=0, pRenderStatus=0xff, nDownsampleWidth=<optimized out>, 
nDownsampleHeight=97) at 
core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1443
#11 0x0000000000701f94 in CPDF_ImageLoader::StartLoadImage (this=0x455ef28, 
pImage=0x0, pCache=0x0, LoadHandle=<optimized out>, bStdCS=0, GroupFamily=128, 
bLoadMask=<optimized out>, pRenderStatus=<optimized out>, 
nDownsampleWidth=<optimized out>, nDownsampleHeight=<optimized out>) at 
core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1502
#12 0x00000000006f27a3 in CPDF_ImageRenderer::StartLoadDIBSource 
(this=0x455eee0) at core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:327
#13 0x00000000006f0b70 in CPDF_ImageRenderer::Start (this=0x455eee0, 
pStatus=<optimized out>, pObj=<optimized out>, pObj2Device=0x455d0d8, bStdCS=0, 
blendType=128) at core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:453
#14 0x00000000006e84c2 in CPDF_RenderStatus::ContinueSingleObject 
(this=0x455edd0, pObj=0x455df80, pObj2Device=0x455d0d8, pPause=<optimized out>) 
at core/src/fpdfapi/fpdf_render/fpdf_render.cpp:335
#15 0x00000000006ed09b in CPDF_ProgressiveRenderer::Continue (this=0x455ed70, 
pPause=0x0) at core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1130
#16 0x00000000006ec882 in CPDF_ProgressiveRenderer::Start (this=0x42d5, 
pContext=<optimized out>, pDevice=0x0, pOptions=<optimized out>, pPause=0x0, 
bDropObjects=128) at core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1073
#17 0x0000000000478856 in FPDF_RenderPage_Retail (pContext=0x455d440, 
page=<optimized out>, start_x=<optimized out>, start_y=<optimized out>, 
size_x=<optimized out>, size_y=<optimized out>, rotate=<optimized out>, 
flags=<optimized out>, bNeedToRestore=<optimized out>, pause=<optimized out>) 
at fpdfsdk/src/fpdfview.cpp:728
#18 0x0000000000478a34 in FPDF_RenderPageBitmap (bitmap=<optimized out>, 
page=0x455c990, start_x=0, start_y=0, size_x=171, size_y=97, rotate=<optimized 
out>, flags=<optimized out>) at fpdfsdk/src/fpdfview.cpp:526
#19 0x0000000000409ee6 in RenderPdf (name=..., pBuf=<optimized out>, 
len=<optimized out>, options=...) at samples/pdfium_test.cc:509
#20 0x000000000040ada4 in main (argc=<optimized out>, argv=<optimized out>) at 
samples/pdfium_test.cc:612

Original issue reported on code.google.com by [email protected] on 12 May 2015 at 5:44

Attachments:

• nullptr.pdf