-
Notifications
You must be signed in to change notification settings - Fork 466
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Buffer overflow when compressing some 16 bits images of the test suite #539
Labels
Comments
I think the allocation of code blocks is off by 1: /**
* Allocates data memory for an encoding code block.
*/
static OPJ_BOOL opj_tcd_code_block_enc_allocate_data (opj_tcd_cblk_enc_t * p_code_block)
{
OPJ_UINT32 l_data_size;
l_data_size = (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) {
if (p_code_block->data) {
opj_free(p_code_block->data - 1); /* again, why -1 */
}
p_code_block->data = (OPJ_BYTE*) opj_malloc(l_data_size); /* HERE MISSING ONE */
if(! p_code_block->data) {
p_code_block->data_size = 0U;
return OPJ_FALSE;
}
p_code_block->data_size = l_data_size;
p_code_block->data[0] = 0;
p_code_block->data+=1; /*why +1 ?*/
}
return OPJ_TRUE;
} shall probably be /**
* Allocates data memory for an encoding code block.
*/
static OPJ_BOOL opj_tcd_code_block_enc_allocate_data (opj_tcd_cblk_enc_t * p_code_block)
{
OPJ_UINT32 l_data_size;
l_data_size = (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
if (l_data_size > p_code_block->data_size) {
if (p_code_block->data) {
opj_free(p_code_block->data - 1); /* again, why -1 */
}
p_code_block->data = (OPJ_BYTE*) opj_malloc(l_data_size+1); /* HERE */
if(! p_code_block->data) {
p_code_block->data_size = 0U;
return OPJ_FALSE;
}
p_code_block->data_size = l_data_size;
p_code_block->data[0] = 0;
p_code_block->data+=1; /*why +1 ?*/
}
return OPJ_TRUE;
} Or maybe the initial +1 to data can be removed. |
The initial + 1 probably can't be removed as mqc is using data - 1 on init. |
mayeut
added a commit
to mayeut/openjpeg
that referenced
this issue
Jul 21, 2015
@detonin, I prevented the overflow for this specific case. |
Closing. mayeut@9ac3a15 is reasonable |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Following merge of PR #538 (new tests have been added, it's not caused by code addition), we can see that compressing some 16bits images create a buffer overflow.
http://my.cdash.org/viewDynamicAnalysisFile.php?id=3153754 :
The text was updated successfully, but these errors were encountered: