From 25d968fdcf1abada4bd7bbcb8c72eeebda73b134 Mon Sep 17 00:00:00 2001
From: Carl Hetherington <cth@carlh.net>
Date: Mon, 4 Nov 2019 12:04:30 +0100
Subject: Fix out-of-bounds read when cropping JPEG2000 images (#1654).

---
 src/lib/j2k_image_proxy.cc | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src/lib')

diff --git a/src/lib/j2k_image_proxy.cc b/src/lib/j2k_image_proxy.cc
index 9893d65a6..d4c7a8716 100644
--- a/src/lib/j2k_image_proxy.cc
+++ b/src/lib/j2k_image_proxy.cc
@@ -138,7 +138,13 @@ J2KImageProxy::prepare (optional<dcp::Size> target_size) const
 
 	shared_ptr<dcp::OpenJPEGImage> decompressed = dcp::decompress_j2k (const_cast<uint8_t*> (_data.data().get()), _data.size (), reduce);
 
-	_image.reset (new Image (_pixel_format, decompressed->size(), true));
+	/* When scaling JPEG2000 images (using AV_PIX_FMT_XYZ12LE) ffmpeg will call xyz12ToRgb48 which reads data
+	   from the whole of the image stride.  If we are cropping, Image::crop_scale_window munges the
+	   start addresses of each image row (to do the crop) but keeps the stride the same.  This means
+	   that under crop we will read over the end of the image by the amount of the crop.  To allow this
+	   to happen without invalid memory access we need to overallocate by one whole stride's worth of pixels.
+	*/
+	_image.reset (new Image (_pixel_format, decompressed->size(), true, decompressed->size().width));
 
 	int const shift = 16 - decompressed->precision (0);
 
-- 
cgit v1.2.3