global-buffer-overflow src/lib/openjp2/t1.c:1146 opj_t1_getwmsedec #436
Closed
Description
Originally reported on Google Code with ID 436
Trying to add data from issue 416 to test suite, I ran into this. Bug was already present,
it's not a regression from Issue 416.
Compression uses MCT but on >3 components, t1 tries to read norm of MCT for channels
after the first 3.
For 4 channel data, reversible transform, the norm read is the one of 1st component
irreversible transform (probably depending on compiler). This nevertheless generates
the following ASan error.
bin/opj_compress -i ../../data/input/nonregression/basn6a08.png -o 0.jp2 -n 5
[INFO] tile number 1 / 1
=================================================================
==31115==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010c293598
at pc 0x00010c26e58c bp 0x7fff548f1680 sp 0x7fff548f1678
READ of size 8 at 0x00010c293598 thread T0
#0 0x10c26e58b in opj_t1_getwmsedec /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/t1.c:1146:3
#1 0x10c26ce87 in opj_t1_encode_cblk /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/t1.c:1629:17
#2 0x10c26c519 in opj_t1_encode_cblks /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/t1.c:1542:7
#3 0x10c28396e in opj_tcd_t1_encode /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/tcd.c:1983:15
#4 0x10c282d6e in opj_tcd_encode_tile /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/tcd.c:1176:23
#5 0x10c245f2c in opj_j2k_write_sod /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/j2k.c:4326:15
#6 0x10c2450d1 in opj_j2k_write_first_tile_part /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/j2k.c:10237:15
#7 0x10c23c7e7 in opj_j2k_post_write_tile /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/j2k.c:10077:15
#8 0x10c23b6cd in opj_j2k_encode /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/j2k.c:9837:23
#9 0x10b30a73d in main /Users/Matt/Dev/OpenJpeg/issue/src/bin/jp2/opj_compress.c:1801:36
#10 0x7fff8f0735c8 in start (/usr/lib/system/libdyld.dylib+0x35c8)
#11 0x6 (<unknown module>)
0x00010c293598 is located 40 bytes to the left of global variable 'opj_mct_norms_real'
defined in '/Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/mct.c:54:26' (0x10c2935c0)
of size 24
0x00010c293598 is located 0 bytes to the right of global variable 'opj_mct_norms' defined
in '/Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/mct.c:49:26' (0x10c293580) of size
24
SUMMARY: AddressSanitizer: global-buffer-overflow /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/t1.c:1146
opj_t1_getwmsedec
Shadow bytes around the buggy address:
0x100021852660: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 00
0x100021852670: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 01 f9
0x100021852680: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 02
0x100021852690: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
0x1000218526a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000218526b0: 00 00 00[f9]f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
0x1000218526c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000218526d0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x1000218526e0: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x1000218526f0: 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x100021852700: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
==31115==ABORTING
Reported by mayeut on 2014-11-18 21:28:26