Fix out-of-bounds read when cropping JPEG2000 images (#1654).

author: Carl Hetherington <cth@carlh.net> 2019-11-04 12:04:30 +0100
committer: Carl Hetherington <cth@carlh.net> 2019-11-04 12:04:30 +0100
commit: 25d968fdcf1abada4bd7bbcb8c72eeebda73b134 (patch)
tree: 7506338b248d10f751103ba0148e0d57d0534c2d /src/lib
parent: 16013e6658cdba6f5682b6e57402094d142b5f84 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/j2k_image_proxy.cc b/src/lib/j2k_image_proxy.cc
index 9893d65a6..d4c7a8716 100644
--- a/src/lib/j2k_image_proxy.cc
+++ b/src/lib/j2k_image_proxy.cc
@@ -138,7 +138,13 @@ J2KImageProxy::prepare (optional<dcp::Size> target_size) const
 
 	shared_ptr<dcp::OpenJPEGImage> decompressed = dcp::decompress_j2k (const_cast<uint8_t*> (_data.data().get()), _data.size (), reduce);
 
-	_image.reset (new Image (_pixel_format, decompressed->size(), true));
+	/* When scaling JPEG2000 images (using AV_PIX_FMT_XYZ12LE) ffmpeg will call xyz12ToRgb48 which reads data
+	   from the whole of the image stride.  If we are cropping, Image::crop_scale_window munges the
+	   start addresses of each image row (to do the crop) but keeps the stride the same.  This means
+	   that under crop we will read over the end of the image by the amount of the crop.  To allow this
+	   to happen without invalid memory access we need to overallocate by one whole stride's worth of pixels.
+	*/
+	_image.reset (new Image (_pixel_format, decompressed->size(), true, decompressed->size().width));
 
 	int const shift = 16 - decompressed->precision (0);
author	Carl Hetherington <cth@carlh.net>	2019-11-04 12:04:30 +0100
committer	Carl Hetherington <cth@carlh.net>	2019-11-04 12:04:30 +0100
commit	25d968fdcf1abada4bd7bbcb8c72eeebda73b134 (patch)
tree	7506338b248d10f751103ba0148e0d57d0534c2d /src/lib
parent	16013e6658cdba6f5682b6e57402094d142b5f84 (diff)