Closed GoogleCodeExporter closed 9 years ago
What really looks suspicious is commit r2266
in particular line 1004 was changed from:
p_code_block->data = (OPJ_BYTE*) opj_malloc(8192+1);
into
p_code_block->data = (OPJ_BYTE*) opj_malloc(OPJ_J2K_DEFAULT_CBLK_DATA_SIZE);
//why +1 ?
I believe the +/-1 is for the DWT internal implementation and as such should
not be changed otherwise bad thing (tm) will happen.
Original comment by mathieu.malaterre
on 24 Feb 2014 at 1:23
until we get some more quota for attaching file. The local patch to fix
symptoms is:
Index: src/lib/openjp2/tcd.c
===================================================================
--- src/lib/openjp2/tcd.c (révision 2391)
+++ src/lib/openjp2/tcd.c (copie de travail)
@@ -1001,7 +1001,7 @@
{
if (! p_code_block->data) {
- p_code_block->data = (OPJ_BYTE*)
opj_malloc(OPJ_J2K_DEFAULT_CBLK_DATA_SIZE); //why +1 ?
+ p_code_block->data = (OPJ_BYTE*)
opj_malloc(OPJ_J2K_DEFAULT_CBLK_DATA_SIZE*2); //why +1 ?
if(! p_code_block->data) {
return OPJ_FALSE;
}
Original comment by mathieu.malaterre
on 24 Feb 2014 at 1:34
As a side effect NR-ENC-tmp-issue-0062.raw-13-encode is now passing.
Original comment by mathieu.malaterre
on 24 Feb 2014 at 1:36
Adding some more information. This is really related to issue 5 and a previous
fix was applied as seen in r1703
This used to be known as CVE-2009-5030, see https://bugs.debian.org/672455
Original comment by mathieu.malaterre
on 24 Feb 2014 at 5:11
Original comment by mathieu.malaterre
on 25 Feb 2014 at 2:19
openjpeg-trunk-r2577, make Experimental:
Start 303: NR-ENC-random-issue-0005.tif-12-encode
303/591 Test #303: NR-ENC-random-issue-0005.tif-12-encode
...................................................***Exception: SegFault 0.70
sec
random-issue-0005.tif:
======================
bin/opj_compress -i random-issue-0005.tif -o random-issue-0005.tif.j2k
BEFORE:
opj_end_compress(l_codec, l_stream);
*** glibc detected *** bin/opj_compress: double free or corruption (!prev):
0x0000000000981e50 ***
Segmentation fault
winfried
Original comment by szukw...@arcor.de
on 7 Mar 2014 at 6:45
openjpeg-trunk-r2577, make Experimental:
Start 308: NR-ENC-tmp-issue-0062.raw-13-encode
*** glibc detected ***
/sources/LIB/OPENJPEG/TRUNK/openjpeg-trunk-r2577-1/BUILD/bin/opj_compress:
double free or corruption (!prev): 0x00000000011dce40 ***
*** glibc detected ***
/sources/LIB/OPENJPEG/TRUNK/openjpeg-trunk-r2577-1/BUILD/bin/opj_compress:
free(): invalid next size (normal): 0x000000000115f820 ***
winfried
Original comment by szukw...@arcor.de
on 7 Mar 2014 at 6:53
Attachments:
From the symptoms, it looks like a dup of 135. Closing.
Original comment by mathieu.malaterre
on 7 Mar 2014 at 2:59
Issue 5 has been merged into this issue.
Original comment by mathieu.malaterre
on 7 Mar 2014 at 3:11
Original issue reported on code.google.com by
mathieu.malaterre
on 24 Feb 2014 at 1:21