Closed GoogleCodeExporter closed 9 years ago
The title should be "PDF crash in chrome - part0"
Original comment by bo...@foxitsoftware.com
on 28 Jun 2014 at 1:05
Original comment by antonin
on 19 Sep 2014 at 9:41
Original comment by antonin
on 19 Sep 2014 at 9:41
r2894
./bin/opj_decompress -i ../../data/issue360/2863.jp2 -o 0.bmp
[INFO] Start to read j2k main header (129).
=================================================================
==3018==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x02903b68 at
pc 0x00296aa6 bp 0xbffc94f8 sp 0xbffc90dc
READ of size 96613 at 0x02903b68 thread T0
#0 0x296aa5 in __asan_memcpy (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x27aa5)
#1 0x76f31d in j2k_read_ppm_v3 /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:3636:17
#2 0x792e44 in opj_j2k_read_header_procedure /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7132:23
#3 0x779bd7 in opj_j2k_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7187:41
#4 0x77986d in opj_j2k_read_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:6719:15
#5 0x79e08c in opj_jp2_read_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2310:9
#6 0x7a4b49 in opj_read_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:391:10
#7 0x395ef in main (/Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress+0x65ef)
#8 0x9aaf1700 in start (/usr/lib/system/libdyld.dylib+0x3700)
#9 0x4 (<unknown module>)
0x02903b68 is located 0 bytes to the right of 1000-byte region
[0x02903780,0x02903b68)
allocated by thread T0 here:
#0 0x29f30a in wrap_calloc (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3030a)
#1 0x77f272 in opj_j2k_create_decompress /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:8286:72
#2 0x79eeb1 in opj_jp2_create /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2549:15
#3 0x7a4523 in opj_create_decompress /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:318:23
#4 0x39574 in main (/Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress+0x6574)
#5 0x9aaf1700 in start (/usr/lib/system/libdyld.dylib+0x3700)
#6 0x4 (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x20520710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x20520720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x20520730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x20520740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x20520750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x20520760: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
0x20520770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x20520780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x20520790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x205207a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x205207b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
==3018==ABORTING
Original comment by m.darb...@gmail.com
on 3 Oct 2014 at 6:59
Attachments:
./bin/opj_decompress -i ../../data/issue360/2894.jp2 -o 0.bmp
==3028==ERROR: AddressSanitizer failed to allocate 0xb2003000 (-1308610560)
bytes of LargeMmapAllocator (errno: 12)
==3028==Process memory map follows:
0x9524f000-0x95274000 /usr/lib/libc++abi.dylib
0xa090b000-0xa090c000 /usr/lib/libc++abi.dylib
0xa59fd000-0xa8d4e000 /usr/lib/libc++abi.dylib
0x9902b000-0x99050000 /usr/lib/system/libxpc.dylib
0xa15b1000-0xa15b3000 /usr/lib/system/libxpc.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libxpc.dylib
0x97309000-0x97310000 /usr/lib/system/libunwind.dylib
0xa0b03000-0xa0b04000 /usr/lib/system/libunwind.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libunwind.dylib
0x967b8000-0x967ba000 /usr/lib/system/libunc.dylib
0xa0a69000-0xa0a6a000 /usr/lib/system/libunc.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libunc.dylib
0x910e6000-0x910e8000 /usr/lib/system/libsystem_sandbox.dylib
0xa03b2000-0xa03b3000 /usr/lib/system/libsystem_sandbox.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_sandbox.dylib
0x9bb6e000-0x9bb76000 /usr/lib/system/libsystem_pthread.dylib
0xa187c000-0xa187e000 /usr/lib/system/libsystem_pthread.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_pthread.dylib
0x944d5000-0x944db000 /usr/lib/system/libsystem_platform.dylib
0xa082f000-0xa0830000 /usr/lib/system/libsystem_platform.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_platform.dylib
0x904c8000-0x904d2000 /usr/lib/system/libsystem_notify.dylib
0xa026e000-0xa026f000 /usr/lib/system/libsystem_notify.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_notify.dylib
0x930c7000-0x930f3000 /usr/lib/system/libsystem_network.dylib
0xa06e6000-0xa06e8000 /usr/lib/system/libsystem_network.dylib
0xa06e8000-0xa06e9000 /usr/lib/system/libsystem_network.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_network.dylib
0x93178000-0x93191000 /usr/lib/system/libsystem_malloc.dylib
0xa06fb000-0xa06fc000 /usr/lib/system/libsystem_malloc.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_malloc.dylib
0x982f8000-0x9832a000 /usr/lib/system/libsystem_m.dylib
0xa14a3000-0xa14a4000 /usr/lib/system/libsystem_m.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_m.dylib
0x9ba7e000-0x9ba9c000 /usr/lib/system/libsystem_kernel.dylib
0xa186d000-0xa186f000 /usr/lib/system/libsystem_kernel.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_kernel.dylib
0x9bcf4000-0x9bd1d000 /usr/lib/system/libsystem_info.dylib
0xa18a0000-0xa18a2000 /usr/lib/system/libsystem_info.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_info.dylib
0x9a444000-0x9a44d000 /usr/lib/system/libsystem_dnssd.dylib
0xa1686000-0xa1687000 /usr/lib/system/libsystem_dnssd.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_dnssd.dylib
0x998d5000-0x998d8000 /usr/lib/system/libsystem_configuration.dylib
0xa160d000-0xa160e000 /usr/lib/system/libsystem_configuration.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_configuration.dylib
0x90587000-0x9061a000 /usr/lib/system/libsystem_c.dylib
0xa0274000-0xa027b000 /usr/lib/system/libsystem_c.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_c.dylib
0x95154000-0x95156000 /usr/lib/system/libsystem_blocks.dylib
0xa08f9000-0xa08fa000 /usr/lib/system/libsystem_blocks.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_blocks.dylib
0x930a9000-0x930bc000 /usr/lib/system/libsystem_asl.dylib
0xa06e3000-0xa06e4000 /usr/lib/system/libsystem_asl.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libsystem_asl.dylib
0x95432000-0x95434000 /usr/lib/system/libremovefile.dylib
0xa093c000-0xa093d000 /usr/lib/system/libremovefile.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libremovefile.dylib
0x9ba9c000-0x9ba9f000 /usr/lib/system/libquarantine.dylib
0xa186f000-0xa1870000 /usr/lib/system/libquarantine.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libquarantine.dylib
0x97681000-0x97686000 /usr/lib/system/libmacho.dylib
0xa1374000-0xa1375000 /usr/lib/system/libmacho.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libmacho.dylib
0x98f2c000-0x98f35000 /usr/lib/system/liblaunch.dylib
0xa1596000-0xa1597000 /usr/lib/system/liblaunch.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/liblaunch.dylib
0x96d85000-0x96d86000 /usr/lib/system/libkeymgr.dylib
0xa0ad7000-0xa0ad8000 /usr/lib/system/libkeymgr.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libkeymgr.dylib
0x9aaee000-0x9aaf2000 /usr/lib/system/libdyld.dylib
0xa173f000-0xa1740000 /usr/lib/system/libdyld.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libdyld.dylib
0x930f5000-0x9310e000 /usr/lib/system/libdispatch.dylib
0xa06ea000-0xa06ee000 /usr/lib/system/libdispatch.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libdispatch.dylib
0x97688000-0x976d9000 /usr/lib/system/libcorecrypto.dylib
0xa1376000-0xa1379000 /usr/lib/system/libcorecrypto.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libcorecrypto.dylib
0x9b4de000-0x9b4e7000 /usr/lib/system/libcopyfile.dylib
0xa1814000-0xa1815000 /usr/lib/system/libcopyfile.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libcopyfile.dylib
0x9c0c3000-0x9c0c9000 /usr/lib/system/libcompiler_rt.dylib
0xa18ce000-0xa18d0000 /usr/lib/system/libcompiler_rt.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libcompiler_rt.dylib
0x90008000-0x90014000 /usr/lib/system/libcommonCrypto.dylib
0xa0252000-0xa0253000 /usr/lib/system/libcommonCrypto.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libcommonCrypto.dylib
0x9c1ad000-0x9c1b2000 /usr/lib/system/libcache.dylib
0xa18e2000-0xa18e3000 /usr/lib/system/libcache.dylib
0xa59fd000-0xa8d4e000 /usr/lib/system/libcache.dylib
0x9a905000-0x9a95b000 /usr/lib/libc++.1.dylib
0xa170e000-0xa1714000 /usr/lib/libc++.1.dylib
0xa59fd000-0xa8d4e000 /usr/lib/libc++.1.dylib
0x930f3000-0x930f5000 /usr/lib/libSystem.B.dylib
0xa06e9000-0xa06ea000 /usr/lib/libSystem.B.dylib
0xa59fd000-0xa8d4e000 /usr/lib/libSystem.B.dylib
0x0081f000-0x008a9000 /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
0x008a9000-0x008b0000 /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
0x008b0000-0x008ca000 /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
0x00332000-0x0038f000 /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
0x0038f000-0x007e8000 /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
0x007e8000-0x0081c000 /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
0x000f5000-0x000f6000 /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
0x000f6000-0x002c2000 /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
0x002c2000-0x002dd000 /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
0x002dd000-0x0032f000 /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
==3028==End of process memory map.
==3028==AddressSanitizer CHECK failed:
/private/tmp/llvm-release/final/llvm.src/projects/compiler-rt/lib/sanitizer_comm
on/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
#0 0x36c227 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3a227)
#1 0x3706a3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3e6a3)
Original comment by m.darb...@gmail.com
on 3 Oct 2014 at 7:02
kdu_expand -i ../../data/issue360/2863.jp2 -o 0.bmp
Kakadu Core Error:
Main code-stream header appears corrupt!
Original comment by m.darb...@gmail.com
on 3 Oct 2014 at 7:52
This patch from bo_xu fixes error for 2984.jp2
./bin/opj_decompress -i ../../data/issue360/2894.jp2 -o 0.bmp
[ERROR] invalid box size -1308622828 (66747970)
ERROR -> opj_decompress: failed to read the header
kdu_expand -i ../../data/issue360/2894.jp2 -o 0.bmp
Error in Kakadu File Format Support:
JP2-family data source contains a malformed file type box.
Original comment by m.darb...@gmail.com
on 3 Oct 2014 at 7:56
Attachments:
This patch makes the following tests fail :
105:ETS-JP2-file8.jp2-decode [ERROR] invalid box size 910 (786d6c20)
106:ETS-JP2-file8.jp2-compare2ref
107:NR-JP2-file8.jp2-compare2base
582:NR-DEC-text_GBR.jp2-29-decode [ERROR] invalid box size 655360 (883)
583:NR-DEC-text_GBR.jp2-29-decode-md5
593:NR-DEC-mem-b2b86b74-2753.jp2-35-decode [ERROR] invalid box size 655360 (64d)
594:NR-DEC-mem-b2b86b74-2753.jp2-35-decode-md5
603:NR-DEC-issue206_image-000.jp2-42-decode [ERROR] invalid box size 655360
(5cc)
604:NR-DEC-issue206_image-000.jp2-42-decode-md5
629:NR-DEC-issue254.jp2-65-decode [ERROR] invalid box size 655360 (3bd8)
637:NR-DEC-issue208.jp2-69-decode [ERROR] invalid box size 655360 (68)
638:NR-DEC-issue208.jp2-69-decode-md5
Original comment by m.darb...@gmail.com
on 5 Oct 2014 at 3:35
This patch allow file8 to decode properly.
After analysis, the other files only decode properly before the patch because
it's the last box & box is skipped (no handler). If skip is modified to check
number of byte skipped falls in file size range then it fails :
static OPJ_OFF_T opj_skip_from_file (OPJ_OFF_T p_nb_bytes, FILE * p_user_data)
{
if (p_nb_bytes > 0) {
OPJ_BYTE l_byte;
if (OPJ_FSEEK(p_user_data,p_nb_bytes-1,SEEK_CUR)) {
return -1;
}
if (opj_read_from_file(&l_byte, 1, p_user_data) != 1) {
return -1;
}
}
return p_nb_bytes;
}
Are those some special kind of boxes ?
Original comment by m.darb...@gmail.com
on 5 Oct 2014 at 5:05
Attachments:
This patch only does the check if a handler exists.
Before trying to reallocate data.
It should be OK to apply. CTest running.
Original comment by m.darb...@gmail.com
on 5 Oct 2014 at 5:57
Attachments:
OK in CDash
./bin/opj_decompress -i ../../data/issue360/2866.jp2 -o 0.bmp
[ERROR] Invalid box size -738197484 for box 'ftyp'. Need -738197492 bytes, 602
bytes remaining
ERROR -> opj_decompress: failed to read the header
./bin/opj_decompress -i ../../data/issue360/2894.jp2 -o 0.bmp
[ERROR] Invalid box size -1308622828 for box 'ftyp'. Need -1308622836 bytes,
605 bytes remaining
ERROR -> opj_decompress: failed to read the header
Issue remaining on 2863.jp2
Original comment by m.darb...@gmail.com
on 5 Oct 2014 at 6:49
This patch corrects the issue remaining. OK in CDash
./bin/opj_decompress -i ../../data/issue360/2863.jp2 -o 0.bmp
[INFO] Start to read j2k main header (129).
[ERROR] Error reading PPM marker
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header
Original comment by m.darb...@gmail.com
on 5 Oct 2014 at 9:00
Attachments:
Original comment by m.darb...@gmail.com
on 6 Oct 2014 at 11:44
Issue 360 has been merged into this issue.
Original comment by m.darb...@gmail.com
on 6 Oct 2014 at 11:49
This issue was closed by revision r2896.
Original comment by antonin
on 6 Oct 2014 at 9:05
Original issue reported on code.google.com by
bo...@foxitsoftware.com
on 28 Jun 2014 at 12:57Attachments: