Invalid write in opj_j2k_update_image_data

[GoogleCodeExporter]

So, there appears to be a regression of sorts in r2991 ("fixed a buffer 
overflow in opj_tcd_init_decode_tile"). After that revision, the attached 
fuzzer-produced file causes opj_j2k_update_image_data to write to invalid 
memory at line 8198:
   *(l_dest_ptr++) = (OPJ_INT32) ((*(l_src_ptr++))&0xff);

The problem is basically that l_img_comp_dest->w is a very large integer, large 
enough that it causes l_line_offset_dest to become negative, and so 
"l_dest_ptr+= l_line_offset_dest" decrements l_dest_ptr and causes it to point 
to an invalid address. You can reproduce this by trying to decode the attached 
image with opj_decompress (tested on Linux x86-64). The attached patch appears 
to catch this particular testcase, but because I don't fully understand the 
underlying problem it's possible there are other ways of triggering the issue 
or that this could break very large but valid images.

Original issue reported on code.google.com by makos...@gmail.com on 26 May 2015 at 8:13

Attachments:

• openjpeg-svn-id000070svn-invalid-write-in-opj_j2k_update_image_data.isra.22.jp2
• invalid-write-in-opj_j2k_update_image_data.patch

[GoogleCodeExporter]

Original comment by m.darb...@gmail.com on 27 May 2015 at 9:34

• Changed state: Started
• Added labels: Priority-Critical
• Removed labels: Priority-Medium

[GoogleCodeExporter]

This issue was updated by revision r3003.

Original comment by m.darb...@gmail.com on 27 May 2015 at 11:05

[GoogleCodeExporter]

This issue was closed by revision r3004.

Original comment by m.darb...@gmail.com on 27 May 2015 at 11:05

• Changed state: Fixed