Fix out-of-bounds read when cropping JPEG2000 images (#1654).

[dcpomatic.git] / src / lib / j2k_image_proxy.cc

diff --git a/src/lib/j2k_image_proxy.cc b/src/lib/j2k_image_proxy.cc
index 9893d65a63f2538e78b7f34c6a5f2d82ae50f6e1..d4c7a8716d7a6dae7876d3b07030b0a0f8a79fde 100644 (file)
--- a/src/lib/j2k_image_proxy.cc
+++ b/src/lib/j2k_image_proxy.cc
@@ -138,7 +138,13 @@ J2KImageProxy::prepare (optional<dcp::Size> target_size) const
 
        shared_ptr<dcp::OpenJPEGImage> decompressed = dcp::decompress_j2k (const_cast<uint8_t*> (_data.data().get()), _data.size (), reduce);
 
-       _image.reset (new Image (_pixel_format, decompressed->size(), true));
+       /* When scaling JPEG2000 images (using AV_PIX_FMT_XYZ12LE) ffmpeg will call xyz12ToRgb48 which reads data
+          from the whole of the image stride.  If we are cropping, Image::crop_scale_window munges the
+          start addresses of each image row (to do the crop) but keeps the stride the same.  This means
+          that under crop we will read over the end of the image by the amount of the crop.  To allow this
+          to happen without invalid memory access we need to overallocate by one whole stride's worth of pixels.
+       */
+       _image.reset (new Image (_pixel_format, decompressed->size(), true, decompressed->size().width));
 
        int const shift = 16 - decompressed->precision (0);