RealmeIP / openjpeg

Automatically exported from code.google.com/p/openjpeg
Other
0 stars 0 forks source link

NR-ENC-random-issue-0005.tif-12-encode #259

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
According to dashboard the following test is failing: 
NR-ENC-random-issue-0005.tif-12-encode

When inspecting with valgrind we can see:

==24977== Invalid write of size 1
==24977==    at 0x4E56446: opj_mqc_byteout (mqc.c:208)
==24977==    by 0x4E56582: opj_mqc_renorme (mqc.c:235)
==24977==    by 0x4E5671E: opj_mqc_codelps (mqc.c:263)
==24977==    by 0x4E56B6D: opj_mqc_encode (mqc.c:394)
==24977==    by 0x4E5EEA8: opj_t1_enc_refpass_step (t1.c:621)
==24977==    by 0x4E5F22B: opj_t1_enc_refpass (t1.c:708)
==24977==    by 0x4E61D40: opj_t1_encode_cblk (t1.c:1597)
==24977==    by 0x4E61AB6: opj_t1_encode_cblks (t1.c:1523)
==24977==    by 0x4E6A5E8: opj_tcd_t1_encode (tcd.c:1945)
==24977==    by 0x4E690AD: opj_tcd_encode_tile (tcd.c:1150)
==24977==    by 0x4E42198: opj_j2k_write_sod (j2k.c:4185)
==24977==    by 0x4E5029F: opj_j2k_write_first_tile_part (j2k.c:9790)
==24977==  Address 0x678e5b0 is 0 bytes after a block of size 8,192 alloc'd
==24977==    at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==24977==    by 0x4E68BAF: opj_tcd_code_block_enc_allocate (tcd.c:1004)
==24977==    by 0x4E677E4: opj_tcd_init_encode_tile (in 
/home/mathieu/Projects/IntoPIX/openjpeg.svn/trunk/bin/bin/libopenjp2.so.2.0.0)
==24977==    by 0x4E4F8E2: opj_j2k_pre_write_tile (j2k.c:9494)
==24977==    by 0x4E4F4A1: opj_j2k_encode (j2k.c:9389)
==24977==    by 0x4E57F1C: opj_encode (openjpeg.c:853)
==24977==    by 0x406CC0: main (opj_compress.c:1696)

Original issue reported on code.google.com by mathieu.malaterre on 24 Feb 2014 at 1:21

GoogleCodeExporter commented 8 years ago
What really looks suspicious is commit r2266

in particular line 1004 was changed from:

p_code_block->data = (OPJ_BYTE*) opj_malloc(8192+1);

into

p_code_block->data = (OPJ_BYTE*) opj_malloc(OPJ_J2K_DEFAULT_CBLK_DATA_SIZE); 
//why +1 ?

I believe the +/-1 is for the DWT internal implementation and as such should 
not be changed otherwise bad thing (tm) will happen.

Original comment by mathieu.malaterre on 24 Feb 2014 at 1:23

GoogleCodeExporter commented 8 years ago
until we get some more quota for attaching file. The local patch to fix 
symptoms is:

Index: src/lib/openjp2/tcd.c
===================================================================
--- src/lib/openjp2/tcd.c   (révision 2391)
+++ src/lib/openjp2/tcd.c   (copie de travail)
@@ -1001,7 +1001,7 @@
 {
         if (! p_code_block->data) {

-                p_code_block->data = (OPJ_BYTE*) 
opj_malloc(OPJ_J2K_DEFAULT_CBLK_DATA_SIZE); //why +1 ?
+                p_code_block->data = (OPJ_BYTE*) 
opj_malloc(OPJ_J2K_DEFAULT_CBLK_DATA_SIZE*2); //why +1 ?
                 if(! p_code_block->data) {
                         return OPJ_FALSE;
                 }

Original comment by mathieu.malaterre on 24 Feb 2014 at 1:34

GoogleCodeExporter commented 8 years ago
As a side effect NR-ENC-tmp-issue-0062.raw-13-encode is now passing.

Original comment by mathieu.malaterre on 24 Feb 2014 at 1:36

GoogleCodeExporter commented 8 years ago
Adding some more information. This is really related to issue 5 and a previous 
fix was applied as seen in r1703

This used to be known as CVE-2009-5030, see https://bugs.debian.org/672455

Original comment by mathieu.malaterre on 24 Feb 2014 at 5:11

GoogleCodeExporter commented 8 years ago

Original comment by mathieu.malaterre on 25 Feb 2014 at 2:19

GoogleCodeExporter commented 8 years ago
openjpeg-trunk-r2577, make Experimental:

        Start 303: NR-ENC-random-issue-0005.tif-12-encode
303/591 Test #303: NR-ENC-random-issue-0005.tif-12-encode 
...................................................***Exception: SegFault  0.70 
sec

random-issue-0005.tif:
======================
bin/opj_compress -i random-issue-0005.tif -o random-issue-0005.tif.j2k

BEFORE:
 opj_end_compress(l_codec, l_stream);

*** glibc detected *** bin/opj_compress: double free or corruption (!prev): 
0x0000000000981e50 ***
Segmentation fault

winfried

Original comment by szukw...@arcor.de on 7 Mar 2014 at 6:45

GoogleCodeExporter commented 8 years ago
openjpeg-trunk-r2577, make Experimental:

        Start 308: NR-ENC-tmp-issue-0062.raw-13-encode

*** glibc detected *** 
/sources/LIB/OPENJPEG/TRUNK/openjpeg-trunk-r2577-1/BUILD/bin/opj_compress: 
double free or corruption (!prev): 0x00000000011dce40 ***
*** glibc detected *** 
/sources/LIB/OPENJPEG/TRUNK/openjpeg-trunk-r2577-1/BUILD/bin/opj_compress: 
free(): invalid next size (normal): 0x000000000115f820 ***

winfried

Original comment by szukw...@arcor.de on 7 Mar 2014 at 6:53

Attachments:

GoogleCodeExporter commented 8 years ago
From the symptoms, it looks like a dup of 135. Closing.

Original comment by mathieu.malaterre on 7 Mar 2014 at 2:59

GoogleCodeExporter commented 8 years ago
Issue 5 has been merged into this issue.

Original comment by mathieu.malaterre on 7 Mar 2014 at 3:11