Heap-buffer-overflow in opj_dwt_decode

[gcode-importer]

Originally reported on Google Code with ID 486

What steps will reproduce the problem?
1. Run Opj_decompress with the attached as input

What is the expected output? What do you see instead?
In ASAN environment, it triggers Heap-buffer-overflow in opj_dwt_decode.

What version of the product are you using? On what operating system?
OpenJpeg revision 2997. Ubuntu 64 bits and Windows 7.

Please provide any additional information below.
The original issue was raised in  https://code.google.com/p/chromium/issues/list. It's
issue 457480.

If there is no ASAN environment, we still can find this issue with debugging mode.
Please input repro.jp2 to run Opj_decompress. 

Set two breaking points in the following two functions to check the address. we can
find h.mem points to 4 bytes memory. But bi points to the memory out of the allocated
range. It causes Heap-buffer-overflow when *bi is assigned to some values.

OPJ_BOOL opj_dwt_decode_tile(opj_tcd_tilecomp_t* tilec, OPJ_UINT32 numres, DWT1DFN
dwt_1D) {

        ...
    h.mem = (OPJ_INT32*)
    opj_aligned_malloc(opj_dwt_max_resolution(tr, numres) * sizeof(OPJ_INT32));
        ...
}


void opj_dwt_interleave_h(opj_dwt_t* h, OPJ_INT32 *a) {
    ...
    bi  = h->mem + 1 - h->cas;
    ...
} 

Reported by [email protected] on 2015-04-17 23:19:52

---

- _Attachment: [repro.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-486/comment-0/repro.jp2)_