Encoder: error with small precincts, origin shift [was Out-of-bounds Read in t2.c:819]

[zodf0055980]

I found an Out-of-bounds Read in the current master 18b1138
I build openjpeg with ASAN, this is ASAN report.
POC picture :

➜  ~/openjpeg/build/bin/opj_compress -i ./sample1.png -o ./a.j2c -r 19,9,0 -c \[16,32\],\[16,32\] -p CPRL -s 8,8  -TP L -d 50,50 

[INFO] tile number 1 / 1
ASAN:DEADLYSIGNAL
=================================================================
==32561==ERROR: AddressSanitizer: SEGV on unknown address 0x6097fffffff8 (pc 0x7fe70244f441 bp 0x619000000fa0 sp 0x7ffdb462cec0 T0)
==32561==The signal is caused by a READ memory access.
    #0 0x7fe70244f440 in opj_t2_encode_packet /home/yuan/openjpeg/src/lib/openjp2/t2.c:819
    #1 0x7fe702458563 in opj_t2_encode_packets /home/yuan/openjpeg/src/lib/openjp2/t2.c:332
    #2 0x7fe70247c595 in opj_tcd_t2_encode /home/yuan/openjpeg/src/lib/openjp2/tcd.c:2562
    #3 0x7fe70247c595 in opj_tcd_encode_tile /home/yuan/openjpeg/src/lib/openjp2/tcd.c:1465
    #4 0x7fe702340342 in opj_j2k_write_sod /home/yuan/openjpeg/src/lib/openjp2/j2k.c:4813
    #5 0x7fe702356636 in opj_j2k_write_sod /home/yuan/openjpeg/src/lib/openjp2/j2k.c:12710
    #6 0x7fe702356636 in opj_j2k_write_all_tile_parts /home/yuan/openjpeg/src/lib/openjp2/j2k.c:12715
    #7 0x7fe702356636 in opj_j2k_post_write_tile /home/yuan/openjpeg/src/lib/openjp2/j2k.c:12411
    #8 0x7fe70238b928 in opj_j2k_encode /home/yuan/openjpeg/src/lib/openjp2/j2k.c:12152
    #9 0x55af4e83dda0 in main /home/yuan/openjpeg/src/bin/jp2/opj_compress.c:2206
    #10 0x7fe701497bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x55af4e8430a9 in _start (/home/yuan/openjpeg/build/bin/opj_compress+0x1b0a9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuan/openjpeg/src/lib/openjp2/t2.c:819 in opj_t2_encode_packet
==32561==ABORTING

This problem is precno is -1, and try to read &band->precincts[precno];

[zodf0055980]

CVE-2020-27843 was assigned for this issue.

[carnil]

@rouault, noticed that in the commited change fc6abdb you say that it is likely not the proper fix, was following that any further development?

[rouault]

was following that any further development?

no

[carnil]

was following that any further development?

no

Ok thanks for confirming.

Sorry for beeing annoying, but further question back: So should be the issue consindered closed? Should be the fix be considered complete as it landed in the 2.4.0 tagged version?

Let me explain why I'm asking. We are tracking the two CVEs CVE-2020-27842 (#1294) and CVE-2020-27843 (#1297) and so looking to check the fstatus for those.

Thanks a lot for your quick help, very much appreciated.

[rouault]

Should be the fix be considered complete as it landed in the 2.4.0 tagged version?

The security issue is solved by the fix that was committed, but I believe there's a more fundamental functional issue that, in an ideal world, would deserve to be solved