Invalid write in opj_j2k_update_image_data

[gcode-importer]

Originally reported on Google Code with ID 495

So, there appears to be a regression of sorts in r2991 ("fixed a buffer overflow in
opj_tcd_init_decode_tile"). After that revision, the attached fuzzer-produced file
causes opj_j2k_update_image_data to write to invalid memory at line 8198:
   *(l_dest_ptr++) = (OPJ_INT32) ((*(l_src_ptr++))&0xff);

The problem is basically that l_img_comp_dest->w is a very large integer, large enough
that it causes l_line_offset_dest to become negative, and so "l_dest_ptr+= l_line_offset_dest"
decrements l_dest_ptr and causes it to point to an invalid address. You can reproduce
this by trying to decode the attached image with opj_decompress (tested on Linux x86-64).
The attached patch appears to catch this particular testcase, but because I don't fully
understand the underlying problem it's possible there are other ways of triggering
the issue or that this could break very large but valid images.

Reported by makosoft on 2015-05-26 20:13:34

---

- _Attachment: [openjpeg-svn-id000070svn-invalid-write-in-opj_j2k_update_image_data.isra.22.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-495/comment-0/openjpeg-svn-id000070svn-invalid-write-in-opj_j2k_update_image_data.isra.22.jp2)_ - _Attachment: [invalid-write-in-opj_j2k_update_image_data.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-495/comment-0/invalid-write-in-opj_j2k_update_image_data.patch)_

[gcode-importer]

Reported by mayeut on 2015-05-27 21:34:32

• Status changed: Started
• Labels added: Priority-Critical
• Labels removed: Priority-Medium

[gcode-importer]

This issue was updated by revision r3003.

Reported by mayeut on 2015-05-27 23:05:05

[gcode-importer]

This issue was closed by revision r3004.

Reported by mayeut on 2015-05-27 23:05:25

• Status changed: Fixed