diff options
| author | Carl Hetherington <cth@carlh.net> | 2019-11-04 12:04:30 +0100 |
|---|---|---|
| committer | Carl Hetherington <cth@carlh.net> | 2019-11-04 12:04:30 +0100 |
| commit | 25d968fdcf1abada4bd7bbcb8c72eeebda73b134 (patch) | |
| tree | 7506338b248d10f751103ba0148e0d57d0534c2d | |
| parent | 16013e6658cdba6f5682b6e57402094d142b5f84 (diff) | |
Fix out-of-bounds read when cropping JPEG2000 images (#1654).
| -rw-r--r-- | src/lib/j2k_image_proxy.cc | 8 | ||||
| -rw-r--r-- | test/image_test.cc | 7 |
2 files changed, 11 insertions, 4 deletions
diff --git a/src/lib/j2k_image_proxy.cc b/src/lib/j2k_image_proxy.cc index 9893d65a6..d4c7a8716 100644 --- a/src/lib/j2k_image_proxy.cc +++ b/src/lib/j2k_image_proxy.cc @@ -138,7 +138,13 @@ J2KImageProxy::prepare (optional<dcp::Size> target_size) const shared_ptr<dcp::OpenJPEGImage> decompressed = dcp::decompress_j2k (const_cast<uint8_t*> (_data.data().get()), _data.size (), reduce); - _image.reset (new Image (_pixel_format, decompressed->size(), true)); + /* When scaling JPEG2000 images (using AV_PIX_FMT_XYZ12LE) ffmpeg will call xyz12ToRgb48 which reads data + from the whole of the image stride. If we are cropping, Image::crop_scale_window munges the + start addresses of each image row (to do the crop) but keeps the stride the same. This means + that under crop we will read over the end of the image by the amount of the crop. To allow this + to happen without invalid memory access we need to overallocate by one whole stride's worth of pixels. + */ + _image.reset (new Image (_pixel_format, decompressed->size(), true, decompressed->size().width)); int const shift = 16 - decompressed->precision (0); diff --git a/test/image_test.cc b/test/image_test.cc index 1332f1c52..8378207cf 100644 --- a/test/image_test.cc +++ b/test/image_test.cc @@ -267,12 +267,13 @@ BOOST_AUTO_TEST_CASE (crop_scale_window_test) check_image("test/data/crop_scale_window_test.png", "build/test/crop_scale_window_test.png"); } -/** Special case of Image::crop_scale_window which triggered some valgrind warnings */ +/** Special cases of Image::crop_scale_window which triggered some valgrind warnings */ BOOST_AUTO_TEST_CASE (crop_scale_window_test2) { - shared_ptr<Image> image (new Image(AV_PIX_FMT_XYZ12LE, dcp::Size(2048, 858), true)); + /* This 2048 does the same as J2KImageProxy does when it makes an image */ + shared_ptr<Image> image (new Image(AV_PIX_FMT_XYZ12LE, dcp::Size(2048, 858), true, 2048)); image->crop_scale_window (Crop(279, 0, 0, 0), dcp::Size(1069, 448), dcp::Size(1069, 578), dcp::YUV_TO_RGB_REC709, VIDEO_RANGE_FULL, AV_PIX_FMT_RGB24, false, false); - + image->crop_scale_window (Crop(2048, 0, 0, 0), dcp::Size(1069, 448), dcp::Size(1069, 578), dcp::YUV_TO_RGB_REC709, VIDEO_RANGE_FULL, AV_PIX_FMT_RGB24, false, false); } BOOST_AUTO_TEST_CASE (as_png_test) |