openjpeg crash error

[gcode-importer]

Originally reported on Google Code with ID 330

When decompressing the jp2 attached image, the openjpeg will crash in opj_j2k_read_sot
function:

if (l_tcp->m_nb_tile_parts) { // l_tcp->m_nb_tile_parts is invalid is null
…
}

I found that l_tcp points to one element of l_cp->tcps, 
    l_tcp = &l_cp->tcps[p_j2k->m_current_tile_number];
but the index is a large number(value 0x00007801).

so, I check the p_j2k->m_current_tile_number validity when getting 
p_j2k->m_current_tile_number like this:

    opj_read_bytes(p_header_data,&(p_j2k->m_current_tile_number),2);            
    p_header_data+=2;

    if (p_j2k->m_current_tile_number > (l_cp->tw * l_cp->th))
    {
        return OPJ_FALSE;
    }

But, then, openjpeg returns null, is there any problem??

Reported by xiaochuan.liu19880512 on 2014-04-03 08:32:47

---

- _Attachment: [Robert4_12_SIGSEGV.PC.0x4a469a.CODE.1.ADDR.0x48.INSTR.mov_ecx,_[rax+0x48]_10.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-330/comment-0/Robert4_12_SIGSEGV.PC.0x4a469a.CODE.1.ADDR.0x48.INSTR.mov_ecx,_[rax+0x48]_10.jp2)_

[gcode-importer]

I use openjpeg-2.x-trunk-r2833.

kdu_expand -i issue330-Robert4_12_SIGSEGV.PC.0x4a469a.CODE.1.ADDR.0x48.INSTR.mov_ecx,_[rax+0x48]_10.jp2
-o issue330-Robert4.bmp

Kakadu Core Error:
Illegal inclusion tag tree encountered while decoding a packet header.  This
problem can arise if empty packets are used (i.e., packets whose first header
bit is 0) and the value coded by the inclusion tag tree in a subsequent packet
is not exactly equal to the index of the quality layer in which each code-block
makes its first contribution.  Such an error may arise from a
mis-interpretation of the standard.  The problem may also occur as a result of
a corrupted code-stream.  Try re-opening the image with the resilient mode
enabled.

opj_decompress -i issue330-Robert4_12_SIGSEGV.PC.0x4a469a.CODE.1.ADDR.0x48.INSTR.mov_ecx\,_\[rax+0x48\]_10.jp2
-o issue330-Robert4.png

[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 0 / 5 has been read.
[INFO] Tile 1/6 has been decoded.
[INFO] Image data has been updated with tile 1.

[ERROR] Invalid tile number 30721
[ERROR] Fail to read the current marker segment (0xff90)
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!


winfried

Reported by szukw000 on 2014-04-03 17:01:14

[gcode-importer]

This would need to be fixed ASAP.

Reported by malaterre on 2014-04-28 07:50:56

• Labels added: Priority-High, Milestone-Release2.1
• Labels removed: Priority-Medium

[gcode-importer]

regarding kakdu output :
kdu_expand -i ../../data/issue330.jp2 -o 0.bmp -resilient
Kakadu Core Error:
Corrupt SOT marker segment found in codestream: tile-number lies outside the
range of available tiles derived from the SIZ marker segment.

Running under ASan (both x86 & x64), I get (trunk r2944) :
./bin/opj_decompress -i ../../data/issue330.jp2 -o 0.bmp

[INFO] Start to read j2k main header (123).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 6 has been read.
[INFO] Tile 1/6 has been decoded.
[INFO] Image data has been updated with tile 1.

[ERROR] Invalid tile number 30721
[ERROR] Fail to read the current marker segment (0xff90)
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

No crash & no ASan error

Reported by mayeut on 2014-11-22 18:46:15

[gcode-importer]

Provided code-stream is corrupted and opj_decompress returns gracefully (as kakadu 7.4
does). Nothing to be done here.

Reported by detonin on 2015-01-15 16:55:58

• Status changed: WontFix