openjpeg crash error

[GoogleCodeExporter]

When decompressing the jp2 attached image, the openjpeg will crash in 
opj_j2k_read_sot function:

if (l_tcp->m_nb_tile_parts) { // l_tcp->m_nb_tile_parts is invalid is null
…
}

I found that l_tcp points to one element of l_cp->tcps, 
    l_tcp = &l_cp->tcps[p_j2k->m_current_tile_number];
but the index is a large number(value 0x00007801).

so, I check the p_j2k->m_current_tile_number validity when getting 
p_j2k->m_current_tile_number like this:

    opj_read_bytes(p_header_data,&(p_j2k->m_current_tile_number),2);            
    p_header_data+=2;

    if (p_j2k->m_current_tile_number > (l_cp->tw * l_cp->th))
    {
        return OPJ_FALSE;
    }

But, then, openjpeg returns null, is there any problem??

Original issue reported on code.google.com by xiaochua...@gmail.com on 3 Apr 2014 at 8:32

Attachments:

• Robert4_12_SIGSEGV.PC.0x4a469a.CODE.1.ADDR.0x48.INSTR.movecx,[rax+0x48]_10.jp2

[GoogleCodeExporter]

I use openjpeg-2.x-trunk-r2833.

kdu_expand -i 
issue330-Robert4_12_SIGSEGV.PC.0x4a469a.CODE.1.ADDR.0x48.INSTR.mov_ecx,_[rax+0x4
8]_10.jp2 -o issue330-Robert4.bmp

Kakadu Core Error:
Illegal inclusion tag tree encountered while decoding a packet header.  This
problem can arise if empty packets are used (i.e., packets whose first header
bit is 0) and the value coded by the inclusion tag tree in a subsequent packet
is not exactly equal to the index of the quality layer in which each code-block
makes its first contribution.  Such an error may arise from a
mis-interpretation of the standard.  The problem may also occur as a result of
a corrupted code-stream.  Try re-opening the image with the resilient mode
enabled.

opj_decompress -i 
issue330-Robert4_12_SIGSEGV.PC.0x4a469a.CODE.1.ADDR.0x48.INSTR.mov_ecx\,_\[rax+0
x48\]_10.jp2 -o issue330-Robert4.png

[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 0 / 5 has been read.
[INFO] Tile 1/6 has been decoded.
[INFO] Image data has been updated with tile 1.

[ERROR] Invalid tile number 30721
[ERROR] Fail to read the current marker segment (0xff90)
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

winfried

Original comment by szukw...@arcor.de on 3 Apr 2014 at 5:01

[GoogleCodeExporter]

This would need to be fixed ASAP.

Original comment by mathieu.malaterre on 28 Apr 2014 at 7:50

• Added labels: Milestone-Release2.1, Priority-High
• Removed labels: Priority-Medium

[GoogleCodeExporter]

regarding kakdu output :
kdu_expand -i ../../data/issue330.jp2 -o 0.bmp -resilient
Kakadu Core Error:
Corrupt SOT marker segment found in codestream: tile-number lies outside the
range of available tiles derived from the SIZ marker segment.

Running under ASan (both x86 & x64), I get (trunk r2944) :
./bin/opj_decompress -i ../../data/issue330.jp2 -o 0.bmp

[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 6 has been read.
[INFO] Tile 1/6 has been decoded.
[INFO] Image data has been updated with tile 1.

[ERROR] Invalid tile number 30721
[ERROR] Fail to read the current marker segment (0xff90)
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

No crash & no ASan error

Original comment by m.darb...@gmail.com on 22 Nov 2014 at 6:46

[GoogleCodeExporter]

Provided code-stream is corrupted and opj_decompress returns gracefully (as 
kakadu 7.4 does). Nothing to be done here.

Original comment by antonin on 15 Jan 2015 at 4:55

• Changed state: WontFix