Fix infinite loop in JBIG2 decoder with >4 referred-to segments by Gaurang-5 · Pull Request #20440 · mozilla/pdf.js

Gaurang-5 · 2025-11-13T20:48:43Z

Fixes #20439

Summary

Fixes an infinite loop issue when decoding JBIG2 images with more than 4 referred-to segments.

Details

The bug had two parts:

Incorrect condition check: The code was checking the entire referredFlags byte (referredFlags === 7) instead of checking the extracted referredToCount value (the top 3 bits: referredToCount === 7)
Incorrect byte count calculation: The calculation for retention flags bytes was (referredToCount + 7) >> 3 when it should be (referredToCount + 8) >> 3

According to the JBIG2 specification, retention flags require (referredToCount + 1) bits total: 1 bit for the segment itself plus 1 bit for each referred segment. The correct byte count is ceil((referredToCount + 1) / 8) which equals (referredToCount + 8) >> 3.

This issue was causing the parser to read incorrect positions, resulting in an infinite loop in the readSegments function.

Testing

Tested with the provided PDF from the issue (hmm.pdf)
All existing unit tests pass (1065 specs, 0 failures)
Fix aligns with solutions in other PDF renderers (SerenityOS, PDFium)

timvandermeij · 2025-11-16T13:59:30Z

Please add a test case (see e.g. https://github.com/mozilla/pdf.js/pull/20270/files for how to do that) which serves as a regression test. After that we can trigger the tests here.

nico · 2025-11-16T18:47:31Z

Feel free to use the file attached to the issue :)

calixteman · 2025-11-21T17:10:07Z

@nico, it's super easy to add the test yourself:

copy your file in test/pdfs/

add an entry in test_manifest.json very similar to:

pdf.js/test/test_manifest.json

Lines 42 to 46 in ddf3a98

    
           "id": "tracemonkey-eq", 
        
           "file": "pdfs/tracemonkey.pdf", 
        
           "md5": "9a192d8b1a7dc652a19835f6f08098bd", 
        
           "rounds": 1, 
        
           "type": "eq"

commit and push.

Gaurang-5 · 2025-11-22T04:07:02Z

@timvandermeij
I've added a regression test for this issue. The test uses the PDF file from the bug report and verifies that it can be decoded without hanging. All tests pass locally.

The test file is located at:

test/pdfs/issue20439.pdf
Entry added to test/test_manifest.json

Please let me know if you need any changes!
Thanks

timvandermeij

Looks good to me like this, with the comment addressed, the commits squashed into one and passing tests. Thanks!

test/pdfs/issue20439.pdf

calixteman · 2025-11-24T13:22:07Z

/botio test

moz-tools-bot · 2025-11-24T13:22:10Z

From: Bot.io (Windows)

Received

Command cmd_test from @calixteman received. Current queue size: 0

Live output at: http://54.193.163.58:8877/73e7f20e09be864/output.txt

moz-tools-bot · 2025-11-24T13:22:10Z

From: Bot.io (Linux m4)

Received

Command cmd_test from @calixteman received. Current queue size: 0

Live output at: http://54.241.84.105:8877/5a1410188c64b28/output.txt

moz-tools-bot · 2025-11-24T14:02:15Z

From: Bot.io (Linux m4)

Failed

Full output at http://54.241.84.105:8877/5a1410188c64b28/output.txt

Total script time: 40.08 mins

Unit tests: Passed
Integration Tests: FAILED
Regression tests: FAILED

  different ref/snapshot: 1

Image differences available at: http://54.241.84.105:8877/5a1410188c64b28/reftest-analyzer.html#web=eq.log

moz-tools-bot · 2025-11-24T14:37:10Z

From: Bot.io (Windows)

Failed

Full output at http://54.193.163.58:8877/73e7f20e09be864/output.txt

Total script time: 75.00 mins

Unit tests: FAILED
Integration Tests: FAILED
Regression tests: FAILED

  different ref/snapshot: 1

Image differences available at: http://54.193.163.58:8877/73e7f20e09be864/reftest-analyzer.html#web=eq.log

timvandermeij · 2025-11-27T20:18:31Z

Could you squash the commits into one so we have a single commit for the change (see https://github.com/mozilla/pdf.js/wiki/Squashing-Commits if you're not familiar with how to do that)? This should be good to merge then.

Gaurang-5 · 2025-12-01T00:41:43Z

Done! I've squashed the commits into a single clean commit as requested. The PR is now ready to merge. Thanks!

test/test_manifest.json

…dd regression test

timvandermeij · 2025-12-07T17:34:42Z

/botio test

moz-tools-bot · 2025-12-07T17:34:45Z

From: Bot.io (Linux m4)

Received

Command cmd_test from @timvandermeij received. Current queue size: 1

Live output at: http://54.241.84.105:8877/c457a3e224d9051/output.txt

moz-tools-bot · 2025-12-07T17:34:45Z

From: Bot.io (Windows)

Received

Command cmd_test from @timvandermeij received. Current queue size: 1

Live output at: http://54.193.163.58:8877/86124cc6f5f9a3c/output.txt

moz-tools-bot · 2025-12-07T18:26:43Z

From: Bot.io (Linux m4)

Failed

Full output at http://54.241.84.105:8877/c457a3e224d9051/output.txt

Total script time: 39.73 mins

Unit tests: Passed
Integration Tests: Passed
Regression tests: FAILED

  different ref/snapshot: 1

Image differences available at: http://54.241.84.105:8877/c457a3e224d9051/reftest-analyzer.html#web=eq.log

moz-tools-bot · 2025-12-07T19:14:25Z

From: Bot.io (Windows)

Failed

Full output at http://54.193.163.58:8877/86124cc6f5f9a3c/output.txt

Total script time: 75.17 mins

Unit tests: FAILED
Integration Tests: FAILED
Regression tests: FAILED

  different ref/snapshot: 1

Image differences available at: http://54.193.163.58:8877/86124cc6f5f9a3c/reftest-analyzer.html#web=eq.log

timvandermeij · 2025-12-09T19:40:15Z

/botio-linux preview

moz-tools-bot · 2025-12-09T19:40:18Z

From: Bot.io (Linux m4)

Received

Command cmd_preview from @timvandermeij received. Current queue size: 0

Live output at: http://54.241.84.105:8877/969a152bef79088/output.txt

moz-tools-bot · 2025-12-09T19:41:17Z

From: Bot.io (Linux m4)

Success

Full output at http://54.241.84.105:8877/969a152bef79088/output.txt

Total script time: 0.97 mins

Published

Viewer: http://54.241.84.105:8877/969a152bef79088/web/viewer.html
Viewer (legacy): http://54.241.84.105:8877/969a152bef79088/legacy/web/viewer.html

timvandermeij · 2025-12-09T19:43:18Z

Thank you for your contribution!

/botio makeref

moz-tools-bot · 2025-12-09T19:43:20Z

From: Bot.io (Linux m4)

Received

Command cmd_makeref from @timvandermeij received. Current queue size: 0

Live output at: http://54.241.84.105:8877/76a6d0fd585c888/output.txt

moz-tools-bot · 2025-12-09T19:43:21Z

From: Bot.io (Windows)

Received

Command cmd_makeref from @timvandermeij received. Current queue size: 0

Live output at: http://54.193.163.58:8877/07e85e9bcfc29f5/output.txt

moz-tools-bot · 2025-12-09T20:01:10Z

From: Bot.io (Linux m4)

Success

Full output at http://54.241.84.105:8877/76a6d0fd585c888/output.txt

Total script time: 17.81 mins

Make references: Passed
Check references: Passed

moz-tools-bot · 2025-12-09T20:13:37Z

From: Bot.io (Windows)

Success

Full output at http://54.193.163.58:8877/07e85e9bcfc29f5/output.txt

Total script time: 30.25 mins

Make references: Passed
Check references: Passed

timvandermeij added the image-jbig2 label Nov 16, 2025

timvandermeij approved these changes Nov 22, 2025

View reviewed changes

test/pdfs/issue20439.pdf Show resolved Hide resolved

Gaurang-5 force-pushed the master branch from df8ed93 to 5e69723 Compare December 1, 2025 00:34

nico reviewed Dec 1, 2025

View reviewed changes

test/test_manifest.json Show resolved Hide resolved

Fix infinite loop in JBIG2 decoder with >4 referred-to segments and a…

ac8d80a

…dd regression test

Gaurang-5 force-pushed the master branch from 5e69723 to ac8d80a Compare December 7, 2025 01:16

timvandermeij approved these changes Dec 7, 2025

View reviewed changes

timvandermeij approved these changes Dec 9, 2025

View reviewed changes

timvandermeij merged commit d946f05 into mozilla:master Dec 9, 2025
9 checks passed

Conversation

Gaurang-5 commented Nov 13, 2025

Summary

Details

Testing

Uh oh!

timvandermeij commented Nov 16, 2025

Uh oh!

nico commented Nov 16, 2025

Uh oh!

calixteman commented Nov 21, 2025

Uh oh!

Gaurang-5 commented Nov 22, 2025

Uh oh!

timvandermeij left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

calixteman commented Nov 24, 2025

Uh oh!

moz-tools-bot commented Nov 24, 2025

From: Bot.io (Windows)

Received

Uh oh!

moz-tools-bot commented Nov 24, 2025

From: Bot.io (Linux m4)

Received

Uh oh!

moz-tools-bot commented Nov 24, 2025

From: Bot.io (Linux m4)

Failed

Uh oh!

moz-tools-bot commented Nov 24, 2025

From: Bot.io (Windows)

Failed

Uh oh!

timvandermeij commented Nov 27, 2025

Uh oh!

Gaurang-5 commented Dec 1, 2025

Uh oh!

Uh oh!

timvandermeij commented Dec 7, 2025

Uh oh!

moz-tools-bot commented Dec 7, 2025

From: Bot.io (Linux m4)

Received

Uh oh!

moz-tools-bot commented Dec 7, 2025

From: Bot.io (Windows)

Received

Uh oh!

moz-tools-bot commented Dec 7, 2025

From: Bot.io (Linux m4)

Failed

Uh oh!

moz-tools-bot commented Dec 7, 2025

From: Bot.io (Windows)

Failed

Uh oh!

timvandermeij commented Dec 9, 2025

Uh oh!

moz-tools-bot commented Dec 9, 2025

From: Bot.io (Linux m4)

Received

Uh oh!

moz-tools-bot commented Dec 9, 2025

From: Bot.io (Linux m4)

Success

Published

Uh oh!

Uh oh!

timvandermeij commented Dec 9, 2025

Uh oh!

moz-tools-bot commented Dec 9, 2025

From: Bot.io (Linux m4)

Received

Uh oh!

moz-tools-bot commented Dec 9, 2025

From: Bot.io (Windows)

timvandermeij left a comment •

edited

Loading