Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NR-ENC-random-issue-0005.tif-12-encode #259

Closed
gcode-importer opened this issue Feb 24, 2014 · 9 comments
Closed

NR-ENC-random-issue-0005.tif-12-encode #259

gcode-importer opened this issue Feb 24, 2014 · 9 comments
Assignees
@malaterre
Labels
bug duplicate Priority-Medium
Milestone
OPJ v2.1.0

Comments

@gcode-importer
Copy link

Originally reported on Google Code with ID 259

According to dashboard the following test is failing: NR-ENC-random-issue-0005.tif-12-encode

When inspecting with valgrind we can see:

==24977== Invalid write of size 1
==24977==    at 0x4E56446: opj_mqc_byteout (mqc.c:208)
==24977==    by 0x4E56582: opj_mqc_renorme (mqc.c:235)
==24977==    by 0x4E5671E: opj_mqc_codelps (mqc.c:263)
==24977==    by 0x4E56B6D: opj_mqc_encode (mqc.c:394)
==24977==    by 0x4E5EEA8: opj_t1_enc_refpass_step (t1.c:621)
==24977==    by 0x4E5F22B: opj_t1_enc_refpass (t1.c:708)
==24977==    by 0x4E61D40: opj_t1_encode_cblk (t1.c:1597)
==24977==    by 0x4E61AB6: opj_t1_encode_cblks (t1.c:1523)
==24977==    by 0x4E6A5E8: opj_tcd_t1_encode (tcd.c:1945)
==24977==    by 0x4E690AD: opj_tcd_encode_tile (tcd.c:1150)
==24977==    by 0x4E42198: opj_j2k_write_sod (j2k.c:4185)
==24977==    by 0x4E5029F: opj_j2k_write_first_tile_part (j2k.c:9790)
==24977==  Address 0x678e5b0 is 0 bytes after a block of size 8,192 alloc'd
==24977==    at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==24977==    by 0x4E68BAF: opj_tcd_code_block_enc_allocate (tcd.c:1004)
==24977==    by 0x4E677E4: opj_tcd_init_encode_tile (in /home/mathieu/Projects/IntoPIX/openjpeg.svn/trunk/bin/bin/libopenjp2.so.2.0.0)
==24977==    by 0x4E4F8E2: opj_j2k_pre_write_tile (j2k.c:9494)
==24977==    by 0x4E4F4A1: opj_j2k_encode (j2k.c:9389)
==24977==    by 0x4E57F1C: opj_encode (openjpeg.c:853)
==24977==    by 0x406CC0: main (opj_compress.c:1696)

Reported by malaterre on 2014-02-24 13:21:45
@gcode-importer
Copy link
Author 

What really looks suspicious is commit r2266

in particular line 1004 was changed from:

p_code_block->data = (OPJ_BYTE*) opj_malloc(8192+1);

into

p_code_block->data = (OPJ_BYTE*) opj_malloc(OPJ_J2K_DEFAULT_CBLK_DATA_SIZE); //why
+1 ?

I believe the +/-1 is for the DWT internal implementation and as such should not be
changed otherwise bad thing (tm) will happen.

Reported by malaterre on 2014-02-24 13:23:11

@gcode-importer
Copy link
Author 

until we get some more quota for attaching file. The local patch to fix symptoms is:

Index: src/lib/openjp2/tcd.c
===================================================================
--- src/lib/openjp2/tcd.c   (révision 2391)
+++ src/lib/openjp2/tcd.c   (copie de travail)
@@ -1001,7 +1001,7 @@
 {
         if (! p_code_block->data) {

-                p_code_block->data = (OPJ_BYTE*) opj_malloc(OPJ_J2K_DEFAULT_CBLK_DATA_SIZE);
//why +1 ?
+                p_code_block->data = (OPJ_BYTE*) opj_malloc(OPJ_J2K_DEFAULT_CBLK_DATA_SIZE*2);
//why +1 ?
                 if(! p_code_block->data) {
                         return OPJ_FALSE;
                 }

Reported by malaterre on 2014-02-24 13:34:47

@gcode-importer
Copy link
Author 

As a side effect NR-ENC-tmp-issue-0062.raw-13-encode is now passing.

Reported by malaterre on 2014-02-24 13:36:37

@gcode-importer
Copy link
Author 

Adding some more information. This is really related to issue 5 and a previous fix was
applied as seen in r1703

This used to be known as CVE-2009-5030, see https://bugs.debian.org/672455

Reported by malaterre on 2014-02-24 17:11:39

@gcode-importer
Copy link
Author

Reported by malaterre on 2014-02-25 14:19:03

  • Labels added: Milestone-Release2.1

@gcode-importer
Copy link
Author 

openjpeg-trunk-r2577, make Experimental:

        Start 303: NR-ENC-random-issue-0005.tif-12-encode
303/591 Test #303: NR-ENC-random-issue-0005.tif-12-encode ...................................................***Exception:
SegFault  0.70 sec

random-issue-0005.tif:
======================
bin/opj_compress -i random-issue-0005.tif -o random-issue-0005.tif.j2k

BEFORE:
 opj_end_compress(l_codec, l_stream);

*** glibc detected *** bin/opj_compress: double free or corruption (!prev): 0x0000000000981e50
***
Segmentation fault

winfried

Reported by szukw000 on 2014-03-07 06:45:17

@gcode-importer
Copy link
Author 

openjpeg-trunk-r2577, make Experimental:

        Start 308: NR-ENC-tmp-issue-0062.raw-13-encode

*** glibc detected *** /sources/LIB/OPENJPEG/TRUNK/openjpeg-trunk-r2577-1/BUILD/bin/opj_compress:
double free or corruption (!prev): 0x00000000011dce40 ***
*** glibc detected *** /sources/LIB/OPENJPEG/TRUNK/openjpeg-trunk-r2577-1/BUILD/bin/opj_compress:
free(): invalid next size (normal): 0x000000000115f820 ***

winfried

Reported by szukw000 on 2014-03-07 06:53:11

- _Attachment: [MAKE_EXPERIMENTAL_BUG.txt.gz](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-259/comment-7/MAKE_EXPERIMENTAL_BUG.txt.gz)_

@gcode-importer
Copy link
Author 

From the symptoms, it looks like a dup of 135. Closing.

Reported by malaterre on 2014-03-07 14:59:13

@gcode-importer
Copy link
Author 

Issue 5 has been merged into this issue.

Reported by malaterre on 2014-03-07 15:11:26

@detonin detonin modified the milestone: OPJ v2.1.0 Jul 6, 2015
@mayeut mayeut mentioned this issue Jul 25, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@malaterre malaterre

Labels
bug duplicate Priority-Medium
Projects
None yet
Milestone
OPJ v2.1.0
Development

No branches or pull requests
3 participants
@malaterre @detonin @gcode-importer