What steps will reproduce the problem?
1. Run Opj_decompress with the attached as input
What is the expected output? What do you see instead?
In ASAN environment, it triggers Heap-buffer-overflow in opj_dwt_decode.
What version of the product are you using? On what operating system?
OpenJpeg revision 2997. Ubuntu 64 bits and Windows 7.
Please provide any additional information below.
The original issue was raised in
https://code.google.com/p/chromium/issues/list. It's issue 457480.
If there is no ASAN environment, we still can find this issue with debugging
mode. Please input repro.jp2 to run Opj_decompress.
Set two breaking points in the following two functions to check the address. we
can find h.mem points to 4 bytes memory. But bi points to the memory out of the
allocated range. It causes Heap-buffer-overflow when *bi is assigned to some
values.
OPJ_BOOL opj_dwt_decode_tile(opj_tcd_tilecomp_t* tilec, OPJ_UINT32 numres,
DWT1DFN dwt_1D) {
...
h.mem = (OPJ_INT32*)
opj_aligned_malloc(opj_dwt_max_resolution(tr, numres) * sizeof(OPJ_INT32));
...
}
void opj_dwt_interleave_h(opj_dwt_t* h, OPJ_INT32 *a) {
...
bi = h->mem + 1 - h->cas;
...
}
Original issue reported on code.google.com by jun_f...@foxitsoftware.com on 17 Apr 2015 at 11:19
Original issue reported on code.google.com by
jun_f...@foxitsoftware.com
on 17 Apr 2015 at 11:19Attachments: