Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in opj_t1_clbl_decode_processor() triggered with Ghostscript #1158

Closed
fumfel opened this issue Oct 19, 2018 · 7 comments · Fixed by #1164
Closed

Heap buffer overflow in opj_t1_clbl_decode_processor() triggered with Ghostscript #1158

fumfel opened this issue Oct 19, 2018 · 7 comments · Fixed by #1164

Comments

@fumfel
Copy link

fumfel commented Oct 19, 2018

Version: 2.3.0

Command to reproduce (Ghostscript): gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_hbo_opj_t1_clbl_decode_processor -c quit

Crashing test case (please unpack): gs_hbo_opj_t1_clbl_decode_processor.zip

ASAN log:

==5834==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f56033c0440 at pc 0x55beea74fe6c bp 0x7ffd95c8bfa0 sp 0x7ffd95c8bf90
WRITE of size 4 at 0x7f56033c0440 thread T0
    #0 0x55beea74fe6b in opj_t1_clbl_decode_processor openjpeg/src/lib/openjp2/t1.c:1782
    #1 0x55beea7a6205 in opj_thread_pool_submit_job openjpeg/src/lib/openjp2/thread.c:833
    #2 0x55beea753023 in opj_t1_decode_cblks openjpeg/src/lib/openjp2/t1.c:1901
    #3 0x55beea7912e6 in opj_tcd_t1_decode openjpeg/src/lib/openjp2/tcd.c:1963
    #4 0x55beea7912e6 in opj_tcd_decode_tile openjpeg/src/lib/openjp2/tcd.c:1617
    #5 0x55beea68c150 in opj_j2k_decode_tile openjpeg/src/lib/openjp2/j2k.c:8935
    #6 0x55beea68c150 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:10722
    #7 0x55beea643c8f in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:8096
    #8 0x55beea699500 in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:11017
    #9 0x55beea6b4a44 in opj_jp2_decode openjpeg/src/lib/openjp2/jp2.c:1604
    #10 0x55beea5e9a45 in decode_image base/sjpx_openjpeg.c:407
    #11 0x55beea5e9a45 in s_opjd_process base/sjpx_openjpeg.c:734
    #12 0x55beea9d3b79 in sreadbuf base/stream.c:823
    #13 0x55beea9e4a98 in s_process_read_buf base/stream.c:749
    #14 0x55beec45367a in image_file_continue psi/zimage.c:533
    #15 0x55beec2751b8 in interp psi/interp.c:1256
    #16 0x55beec2751b8 in gs_call_interp psi/interp.c:516
    #17 0x55beec284c0d in gs_interpret psi/interp.c:473
    #18 0x55beec221e2f in gs_main_interpret psi/imain.c:235
    #19 0x55beec221e2f in gs_main_run_string_end psi/imain.c:658
    #20 0x55beec221e2f in gs_main_run_string_with_length psi/imain.c:610
    #21 0x55beec221e2f in gs_main_run_string psi/imain.c:591
    #22 0x55beec22f0e8 in run_string psi/imainarg.c:1034
    #23 0x55beec22f0e8 in runarg psi/imainarg.c:1024
    #24 0x55beec23898b in argproc psi/imainarg.c:957
    #25 0x55beec23898b in gs_main_init_with_args psi/imainarg.c:233
    #26 0x55bee9a9e249 in main psi/gs.c:95
    #27 0x7f561eaebb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #28 0x55bee9ab3289 in _start (XYZ/gs_asan/bin/gs+0x36a289)

0x7f56033c0441 is located 0 bytes to the right of 261185-byte region [0x7f5603380800,0x7f56033c0441)
allocated by thread T0 here:
    #0 0x7f56203d5b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55beeb7bb9c9 in gs_heap_alloc_bytes base/gsmalloc.c:193

SUMMARY: AddressSanitizer: heap-buffer-overflow openjpeg/src/lib/openjp2/t1.c:1782 in opj_t1_clbl_decode_processor
Shadow bytes around the buggy address:
  0x0feb40670030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb40670040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb40670050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb40670060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb40670070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feb40670080: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
  0x0feb40670090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb406700a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb406700b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb406700c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feb406700d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5834==ABORTING
@szukw000
Copy link
Contributor

@fumfel ,
I used gs version 9.25 .
winfried
gs.txt.zip

@rouault
Copy link
Collaborator

rouault commented Oct 19, 2018

I've extracted the JP2 content from the .gs file (
gs_hbo_opj_t1_clbl_decode_processor_jp2.jp2.zip )
, and used it with opj_decompress with a -fsanitize=address build of openjpeg v2.3.0 and master, and I don't get any corruption

$ bin/opj_decompress -i  gs_hbo_opj_t1_clbl_decode_processor_jp2.jp2 -o out.tif

[INFO] JP2 IHDR box: compression type indicate that the file is not a conforming JP2 file (48) 
[INFO] Start to read j2k main header (85).
[WARNING] Despite JP2 BPC!=255, precision and/or sgnd values for comp[1] is different than comp[0]:
        [0] prec(8) sgnd(0) [1] prec(8) sgnd(1)
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Psot value of the current tile-part is equal to zero, we assuming it is the last tile-part of the codestream.
[ERROR] Tile part length size inconsistent with stream length
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

@rouault
Copy link
Collaborator

rouault commented Oct 19, 2018

So line t1.c:1782 shouldn't even been executed (I've verified it is not with the above opj_decompress invokation). There must be something specific in the ghostscript invokation/integration

@sebras
Copy link
Contributor

sebras commented Oct 31, 2018

When you extracted the JP2 content, did you extract from offset 73 until EOF? The PDF has been fuzzed so it is lacking the /Length field for the PDF object stream. This means that the stream is considered to continue until EOF (even though the data looks like PDF objects).

While debugging this I noticed that the JP2H box contains two subboxes of types IHDR and 0000. IHDR is parsed correctly but the box of type 0000 causes JP2_STATE_UNKNOWN to be set in jp2_state. As far as I can tell from the spec it indicates that

Other boxes may be defined in other standards and may be ignored by conforming readers.

So perhaps this is correct behaviour?

Next after the JP2H box follows a JP2C box with the length field set to 808464432 bytes. This is larger than the remainder of the file but opj_jp2_read_header_procedure() never checks this. As soon as it sees that the box type is JP2C it is satisfied and exits. I believe that this length field should be checked compared to the size of the remaining data. Is that possible?

The spec does allow for box lengths being 0, implying unknown size. Since the JP2 code stream commonly ends with 0xffd9 I guess this might be used to determine the box size after scanning the code stream, but opj_jp2_read_header_procedure() doesn't seem to handle this. Should it?

I do know why Ghostscript crashes and opj_decompress does not -- opj_decompress implements a hack that Ghostscript lacks. Instead Ghostscript assumes that if openjpeg reports three components, then all three components have data present. This is not the case hence Ghostscript dreferences NULL and crashes.

In the hack opj_decompress checks if there is any data for the first component. Why is this only the first component checked? Shouldn't all components be checked? For this particular JP2 the first two components both lack data, but the third component data is actually present!

In either case I agree with the FIXME comment next to that hack, this simply feels like the wrong solution since every user of openjpeg must now implement the same hack. If the JP2 file states that it has three components and they are not all populated with data after attempting to decode the image then something in openjpeg ought to return an error code to the benefit of all users of openjpeg. I haven't yet determined where this ought to be done, can you help me in finding out what location would be suitable?

@sebras
Copy link
Contributor

sebras commented Oct 31, 2018

I just found that in opj_j2k_read_sod() openjpeg attempts to assume that the last SOT marker extends until EOF (well, at EOF shy of 2 bytes, hoping for EOC or 0xffd9). That seems reasonable to me.

sebras added a commit to sebras/openjpeg that referenced this issue Oct 31, 2018
Previously the multiple component transformation SGcod(C)
and wavelet transformation (SPcod(H) parameter values were
never checked, which allowed for out of range values.

The lack of validation allowed the provided codestream in
issue uclouvain#1158 through, but after this commit there is an error.
sebras added a commit to sebras/openjpeg that referenced this issue Oct 31, 2018
Previously the multiple component transformation SGcod(C)
and wavelet transformation (SPcod(H) parameter values were
never checked, which allowed for out of range values.

The lack of validation allowed the provided codestream in
issue uclouvain#1158 through, but after this commit there is an error.
@sebras
Copy link
Contributor

sebras commented Oct 31, 2018

Let me supply some example-files.zip. The first file 7000088.jp2 contains gs_hbo_opj_t1_clbl_decode_processor from the original report but with the trailing parts still present.

Running openjpeg

opj_decompress -i 700088.jp2 -o test.pgm

including the previous supplied pull request causes it to print:

Error reading SPCod SPCoc element, Invalid transformation found

for this file. This is correct since the transformation value is neither 0x00 nor 0x01 as allowed by the specification, but rather 0x30. However I can manually fuzz the file to change the tranformation parameter to be 0x00, this is exactly what is in 7000088-2.jpg from example-files.zip above. With this file running openjpeg:

opj_decompress -i 700088.jp2 -o test.pgm

still causes out of bounds accesses if the previously mentioned hack is not included. I'm investigating further.

sebras added a commit to sebras/openjpeg that referenced this issue Oct 31, 2018
Previously the multiple component transformation SGcod(C)
and wavelet transformation (SPcod(H) parameter values were
never checked, which allowed for out of range values.

The lack of validation allowed the provided codestream in
issue uclouvain#1158 through, but after this commit there is an error.
sebras added a commit to sebras/openjpeg that referenced this issue Oct 31, 2018
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes uclouvain#1158.
@sebras
Copy link
Contributor

sebras commented Oct 31, 2018

Ok, so I have done a commit that I'd like for you guys to take a look at. It errors out whenever not all components requested by the caller have been decoded. This means that the hack in opj_decompress is no longer needed (as it will simply be handled by the library and normal error handling in opj_decompress).

I believe this to be an improvement, but perhaps you want to resolve it differently. I'm open to any suggestions and will rework the set of commits if needed. :)

sebras added a commit to sebras/openjpeg that referenced this issue Oct 31, 2018
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes uclouvain#1158.
sebras added a commit to sebras/openjpeg that referenced this issue Nov 2, 2018
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes uclouvain#1158.
sebras added a commit to sebras/openjpeg that referenced this issue Nov 2, 2018
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes uclouvain#1158.
sebras added a commit to sebras/openjpeg that referenced this issue Nov 2, 2018
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes uclouvain#1158.
sebras added a commit to sebras/openjpeg that referenced this issue Nov 2, 2018
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes uclouvain#1158.
sebras added a commit to sebras/openjpeg that referenced this issue Nov 2, 2018
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes uclouvain#1158.
sebras added a commit to sebras/openjpeg that referenced this issue Dec 7, 2018
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes uclouvain#1158.
sebras added a commit to sebras/openjpeg that referenced this issue Dec 8, 2018
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes uclouvain#1158.
sebras added a commit to sebras/openjpeg that referenced this issue Dec 8, 2018
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes uclouvain#1158.
sebras added a commit to sebras/openjpeg that referenced this issue Feb 21, 2019
Previously the caller had to check whether each component data had
been decoded. This means duplicating the checking in every user of
openjpeg which is unnecessary. If the caller wantes to decode all
or a set of, or a specific component then openjpeg ought to error
out if it was unable to do so.

Fixes uclouvain#1158.
sebras added a commit to sebras/openjpeg that referenced this issue Sep 3, 2019
Previously the multiple component transformation SGcod(C)
and wavelet transformation SPcod(H)/SPcoc(E) parameter
values were never checked, allowing for out of range values.

The lack of validation allowed the bit stream provided in
issue uclouvain#1158 through. After this commit an error message
points to the marker segments' parameters as being out of
range.

This fixes issue uclouvain#1210.
sebras added a commit to sebras/openjpeg that referenced this issue Sep 3, 2019
Previously the multiple component transformation SGcod(C)
and wavelet transformation SPcod(H)/SPcoc(E) parameter
values were never checked, allowing for out of range values.

The lack of validation allowed the bit stream provided in
issue uclouvain#1158 through. After this commit an error message
points to the marker segments' parameters as being out of
range.

This fixes issue uclouvain#1210.
sebras added a commit to sebras/openjpeg that referenced this issue Sep 3, 2019
Previously the multiple component transformation SGcod(C)
and wavelet transformation SPcod(H)/SPcoc(E) parameter
values were never checked, allowing for out of range values.

The lack of validation allowed the bit stream provided in
issue uclouvain#1158 through. After this commit an error message
points to the marker segments' parameters as being out of
range.

This fixes issue uclouvain#1210.
sebras added a commit to sebras/openjpeg that referenced this issue Sep 4, 2019
Previously the multiple component transformation SGcod(C)
and wavelet transformation SPcod(H)/SPcoc(E) parameter
values were never checked, allowing for out of range values.

The lack of validation allowed the bit stream provided in
issue uclouvain#1158 through. After this commit an error message
points to the marker segments' parameters as being out of
range.

This fixes issue uclouvain#1210.
sebras added a commit to sebras/openjpeg that referenced this issue Sep 4, 2019
Previously the multiple component transformation SGcod(C)
and wavelet transformation SPcod(H)/SPcoc(E) parameter
values were never checked, allowing for out of range values.

The lack of validation allowed the bit stream provided in
issue uclouvain#1158 through. After this commit an error message
points to the marker segments' parameters as being out of
range.

input/nonregression/edf_c2_20.jp2 contains an SPcod(H) value
of 17, but according to Table A-20 of the specification only
values 0 and 1 are valid. input/nonregression/issue826.jp2
contains a SGcod(B) value of 2, but according to Table A-17
of the specification only values 0 and 1 are valid.
input/nonregression/oss-fuzz2785.jp2` contains a SGcod(B)
value of 32, but it is likewise limited to 0 or 1. These test
cases have been updated to consistently fail to parse the
headers since they contain out of bounds values.

This fixes issue uclouvain#1210.
sebras added a commit to sebras/openjpeg that referenced this issue Sep 4, 2019
Previously the multiple component transformation SGcod(C)
and wavelet transformation SPcod(H)/SPcoc(E) parameter
values were never checked, allowing for out of range values.

The lack of validation allowed the bit stream provided in
issue uclouvain#1158 through. After this commit an error message
points to the marker segments' parameters as being out of
range.

input/nonregression/edf_c2_20.jp2 contains an SPcod(H) value
of 17, but according to Table A-20 of the specification only
values 0 and 1 are valid. input/nonregression/issue826.jp2
contains a SGcod(B) value of 2, but according to Table A-17
of the specification only values 0 and 1 are valid.
input/nonregression/oss-fuzz2785.jp2 contains a SGcod(B)
value of 32, but it is likewise limited to 0 or 1. These test
cases have been updated to consistently fail to parse the
headers since they contain out of bounds values.

This fixes issue uclouvain#1210.
chris-liddell pushed a commit to ArtifexSoftware/thirdparty-openjpeg that referenced this issue Sep 5, 2019
Ghostscript used to attempt to use even the undecoded components.
The source code for upstream's opj_decompress tool avoided this by
a workaround along with a comment indicating that this ought to be
done in the library (so all clients, e.g. Ghostscript will benefit
from it). With this commit the library will error out if not all
requested components are successfully decoded. Thus Ghostscript
will no longer crash.

Reported in uclouvain/openjpeg#1158
sent upstream in uclouvain/openjpeg#1164
and finally committed in e66125f
chris-liddell pushed a commit to ArtifexSoftware/thirdparty-openjpeg that referenced this issue Feb 6, 2020
The original commit message read:

Bug 700088: Report error if all wanted J2K components are not decoded.

Ghostscript used to attempt to use even the undecoded components.
The source code for upstream's opj_decompress tool avoided this by
a workaround along with a comment indicating that this ought to be
done in the library (so all clients, e.g. Ghostscript will benefit
from it). With this commit the library will error out if not all
requested components are successfully decoded. Thus Ghostscript
will no longer crash.

Reported in uclouvain/openjpeg#1158
sent upstream in uclouvain/openjpeg#1164
and finally committed in e66125f
DanielHeath pushed a commit to radiopaedia/openjpeg that referenced this issue Sep 21, 2021
Previously the multiple component transformation SGcod(C)
and wavelet transformation SPcod(H)/SPcoc(E) parameter
values were never checked, allowing for out of range values.

The lack of validation allowed the bit stream provided in
issue uclouvain#1158 through. After this commit an error message
points to the marker segments' parameters as being out of
range.

input/nonregression/edf_c2_20.jp2 contains an SPcod(H) value
of 17, but according to Table A-20 of the specification only
values 0 and 1 are valid. input/nonregression/issue826.jp2
contains a SGcod(B) value of 2, but according to Table A-17
of the specification only values 0 and 1 are valid.
input/nonregression/oss-fuzz2785.jp2 contains a SGcod(B)
value of 32, but it is likewise limited to 0 or 1. These test
cases have been updated to consistently fail to parse the
headers since they contain out of bounds values.

This fixes issue uclouvain#1210.
mtremer pushed a commit to ipfire/ipfire-2.x that referenced this issue Apr 29, 2022
- Update from version 2.3.1 to 2.4.0
- Update of rootfile
- Changelog
    2.4.0
	**Closed issues:**
		- OPENJPEG\_INSTALL\_DOC\_DIR does not control a destination directory where HTML docs would be installed. [\#1309](uclouvain/openjpeg#1309)
		- Heap-buffer-overflow in lib/openjp2/pi.c:312 [\#1302](uclouvain/openjpeg#1302)
		- Heap-buffer-overflow in lib/openjp2/t2.c:973 [\#1299](uclouvain/openjpeg#1299)
		- Heap-buffer-overflow in lib/openjp2/pi.c:623 [\#1293](uclouvain/openjpeg#1293)
		- Global-buffer-overflow in lib/openjp2/dwt.c:1980 [\#1286](uclouvain/openjpeg#1286)
		- Heap-buffer-overflow in lib/openjp2/tcd.c:2417 [\#1284](uclouvain/openjpeg#1284)
		- Heap-buffer-overflow in lib/openjp2/mqc.c:499 [\#1283](uclouvain/openjpeg#1283)
		- Openjpeg could not encode 32bit RGB float image [\#1281](uclouvain/openjpeg#1281)
		- Openjpeg could not encode 32bit RGB float image [\#1280](uclouvain/openjpeg#1280)
		- ISO/IEC 15444-1:2019 \(E\) compared with 'cio.h' [\#1277](uclouvain/openjpeg#1277)
		- Test-suite failure due to hash mismatch [\#1264](uclouvain/openjpeg#1264)
		- Heap use-after-free [\#1261](uclouvain/openjpeg#1261)
		- Memory leak when failing to allocate object... [\#1259](uclouvain/openjpeg#1259)
		- Memory leak of Tier 1 handle when OpenJPEG fails to set it as TLS... [\#1257](uclouvain/openjpeg#1257)
		- Any plan to build release for CVE-2020-8112/CVE-2020-6851 [\#1247](uclouvain/openjpeg#1247)
		- failing to convert 16-bit file: opj\_t2\_encode\_packet\(\): only 5251 bytes remaining in output buffer. 5621 needed. [\#1243](uclouvain/openjpeg#1243)
		- CMake+VS2017 Compile OK, thirdparty Compile OK, but thirdparty not install [\#1239](uclouvain/openjpeg#1239)
		- New release to solve CVE-2019-6988 ? [\#1238](uclouvain/openjpeg#1238)
		- Many tests fail to pass after the update of libtiff to version 4.1.0 [\#1233](uclouvain/openjpeg#1233)
		- Another heap buffer overflow in libopenjp2 [\#1231](uclouvain/openjpeg#1231)
		- Heap buffer overflow in libopenjp2 [\#1228](uclouvain/openjpeg#1228)
		- Endianness of binary volume \(JP3D\) [\#1224](uclouvain/openjpeg#1224)
		- New release to resolve CVE-2019-12973 [\#1222](uclouvain/openjpeg#1222)
		- how to set the block size,like 128,256 ? [\#1216](uclouvain/openjpeg#1216)
		- compress YUV files to motion jpeg2000 standard [\#1213](uclouvain/openjpeg#1213)
		- Repair/update Java wrapper, and include in release [\#1208](uclouvain/openjpeg#1208)
		- abc [\#1206](uclouvain/openjpeg#1206)
		- Slow decoding [\#1202](uclouvain/openjpeg#1202)
		- Installation question [\#1201](uclouvain/openjpeg#1201)
		- Typo in test\_decode\_area - \*ptilew is assigned instead of \*ptileh [\#1195](uclouvain/openjpeg#1195)
		- Creating a J2K file with one POC is broken [\#1191](uclouvain/openjpeg#1191)
		- Make fails on Arch Linux [\#1174](uclouvain/openjpeg#1174)
		- Heap buffer overflow in opj\_t1\_clbl\_decode\_processor\(\) triggered with Ghostscript [\#1158](uclouvain/openjpeg#1158)
		- opj\_stream\_get\_number\_byte\_left: Assertion `p\_stream-\>m\_byte\_offset \>= 0' failed. [\#1151](uclouvain/openjpeg#1151)
		- The fuzzer ignores too many inputs [\#1079](uclouvain/openjpeg#1079)
		- out of bounds read [\#1068](uclouvain/openjpeg#1068)
	**Merged pull requests:**
		- Change defined WIN32 [\#1310](uclouvain/openjpeg#1310) ([Jamaika1](https://github.com/Jamaika1))
		- docs: fix simple typo, producted -\> produced [\#1308](uclouvain/openjpeg#1308) ([timgates42](https://github.com/timgates42))
		- Set ${OPENJPEG\_INSTALL\_DOC\_DIR} to DESTINATION of HTMLs [\#1307](uclouvain/openjpeg#1307) ([lemniscati](https://github.com/lemniscati))
		- Use INC\_DIR for OPENJPEG\_INCLUDE\_DIRS \(fixes uclouvain\#1174\) [\#1306](uclouvain/openjpeg#1306) ([matthew-sharp](https://github.com/matthew-sharp))
		- pi.c: avoid out of bounds access with POC \(fixes \#1302\) [\#1304](uclouvain/openjpeg#1304) ([rouault](https://github.com/rouault))
		- Encoder: grow again buffer size [\#1303](uclouvain/openjpeg#1303) ([zodf0055980](https://github.com/zodf0055980))
		- opj\_j2k\_write\_sod\(\): avoid potential heap buffer overflow \(fixes \#1299\) \(probably master only\) [\#1301](uclouvain/openjpeg#1301) ([rouault](https://github.com/rouault))
		- pi.c: avoid out of bounds access with POC \(refs https://github.com/uclouvain/openjpeg/issues/1293\#issuecomment-737122836\) [\#1300](uclouvain/openjpeg#1300) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1297, but likely not the proper fix [\#1298](uclouvain/openjpeg#1298) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1294, but likely not the proper fix [\#1296](uclouvain/openjpeg#1296) ([rouault](https://github.com/rouault))
		- opj\_j2k\_setup\_encoder\(\): validate POC compno0 and compno1 \(fixes \#1293\) [\#1295](uclouvain/openjpeg#1295) ([rouault](https://github.com/rouault))
		- Encoder: avoid global buffer overflow on irreversible conversion when… [\#1292](uclouvain/openjpeg#1292) ([rouault](https://github.com/rouault))
		- Decoding: deal with some SPOT6 images that have tiles with a single tile-part with TPsot == 0 and TNsot == 0, and with missing EOC [\#1291](uclouvain/openjpeg#1291) ([rouault](https://github.com/rouault))
		- Free p\_tcd\_marker\_info to avoid memory leak [\#1288](uclouvain/openjpeg#1288) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: grow again buffer size [\#1287](uclouvain/openjpeg#1287) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: avoid uint32 overflow when allocating memory for codestream buffer \(fixes \#1243\) [\#1276](uclouvain/openjpeg#1276) ([rouault](https://github.com/rouault))
		- Java compatibility from 1.5 to 1.6 [\#1263](uclouvain/openjpeg#1263) ([jiapei100](https://github.com/jiapei100))
		- opj\_decompress: fix double-free on input directory with mix of valid and invalid images [\#1262](uclouvain/openjpeg#1262) ([rouault](https://github.com/rouault))
		- openjp2: Plug image leak when failing to allocate codestream index. [\#1260](uclouvain/openjpeg#1260) ([sebras](https://github.com/sebras))
		- openjp2: Plug memory leak when setting data as TLS fails. [\#1258](uclouvain/openjpeg#1258) ([sebras](https://github.com/sebras))
		- openjp2: Error out if failing to create Tier 1 handle. [\#1256](uclouvain/openjpeg#1256) ([sebras](https://github.com/sebras))
		- Testing for invalid values of width, height, numcomps [\#1254](uclouvain/openjpeg#1254) ([szukw000](https://github.com/szukw000))
		- Single-threaded performance improvements in forward DWT for 5-3 and 9-7 \(and other improvements\) [\#1253](uclouvain/openjpeg#1253) ([rouault](https://github.com/rouault))
		- Add support for multithreading in encoder [\#1248](uclouvain/openjpeg#1248) ([rouault](https://github.com/rouault))
		- Add support for generation of PLT markers in encoder [\#1246](uclouvain/openjpeg#1246) ([rouault](https://github.com/rouault))
		- Fix warnings about signed/unsigned casts in pi.c [\#1244](uclouvain/openjpeg#1244) ([rouault](https://github.com/rouault))
		- opj\_decompress: add sanity checks to avoid segfault in case of decoding error [\#1240](uclouvain/openjpeg#1240) ([rouault](https://github.com/rouault))
		- ignore wrong icc [\#1236](uclouvain/openjpeg#1236) ([szukw000](https://github.com/szukw000))
		- Implement writing of IMF profiles [\#1235](uclouvain/openjpeg#1235) ([rouault](https://github.com/rouault))
		- tests: add alternate checksums for libtiff 4.1 [\#1234](uclouvain/openjpeg#1234) ([rouault](https://github.com/rouault))
		- opj\_tcd\_init\_tile\(\): avoid integer overflow [\#1232](uclouvain/openjpeg#1232) ([rouault](https://github.com/rouault))
		- tests/fuzzers: link fuzz binaries using $LIB\_FUZZING\_ENGINE. [\#1230](uclouvain/openjpeg#1230) ([Dor1s](https://github.com/Dor1s))
		- opj\_j2k\_update\_image\_dimensions\(\): reject images whose coordinates are beyond INT\_MAX \(fixes \#1228\) [\#1229](uclouvain/openjpeg#1229) ([rouault](https://github.com/rouault))
		- Fix resource leaks [\#1226](uclouvain/openjpeg#1226) ([dodys](https://github.com/dodys))
		- abi-check.sh: fix false postive ABI error, and display output error log [\#1218](uclouvain/openjpeg#1218) ([rouault](https://github.com/rouault))
		- pi.c: avoid integer overflow, resulting in later invalid access to memory in opj\_t2\_decode\_packets\(\) [\#1217](uclouvain/openjpeg#1217) ([rouault](https://github.com/rouault))
		- Add check to validate SGcod/SPcoc/SPcod parameter values. [\#1211](uclouvain/openjpeg#1211) ([sebras](https://github.com/sebras))
		- Fix buffer overflow reading an image file less than four characters [\#1196](uclouvain/openjpeg#1196) ([robert-ancell](https://github.com/robert-ancell))
		- compression: emit POC marker when only one single POC is requested \(f… [\#1192](uclouvain/openjpeg#1192) ([rouault](https://github.com/rouault))
		- Fix several potential vulnerabilities  [\#1185](uclouvain/openjpeg#1185) ([Young-X](https://github.com/Young-X))
		- openjp2/j2k: Report error if all wanted components are not decoded. [\#1164](uclouvain/openjpeg#1164) ([sebras](https://github.com/sebras))

Signed-off-by: Adolf Belka <[email protected]>
Reviewed-by: Peter Müller <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants