From 92388bd614fc16409d2b2e19c80f859a48384848 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Wed, 25 Dec 2024 23:58:51 +1100 Subject: [PATCH] len --- .github/workflows/test.yml | 2 +- src/PIL/Jpeg2KImagePlugin.py | 3 ++ src/libImaging/Jpeg2KDecode.c | 9 ++++++ .../src/openjpeg-2.5.3/src/lib/openjp2/j2k.c | 6 ++++ .../openjpeg-2.5.3/src/lib/openjp2/openjpeg.c | 2 ++ .../src/openjpeg-2.5.3/src/lib/openjp2/t2.c | 10 +++---- .../src/openjpeg-2.5.3/src/lib/openjp2/tcd.c | 30 +++++++++---------- 7 files changed, 41 insertions(+), 21 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c7839e28a3d..58291c94b22 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -86,4 +86,4 @@ jobs: - name: Test run: | python3 -m pip install psutil - python3 -c "import psutil;process = psutil.Process();from PIL import Image;im = Image.open('clusterfuzz-testcase-minimized-fuzz_pillow-5015640213159936');print('memory1', process.memory_info().rss);im.load();print('memory2', process.memory_info().rss)" + python3 -c "import psutil;process = psutil.Process();from PIL import Image;im = Image.open('clusterfuzz-testcase-minimized-fuzz_pillow-5015640213159936');print(im);print('memory1', process.memory_info().rss);im.load();print('memory2', process.memory_info().rss)" diff --git a/src/PIL/Jpeg2KImagePlugin.py b/src/PIL/Jpeg2KImagePlugin.py index b6ebd562be6..93b1ee32d03 100644 --- a/src/PIL/Jpeg2KImagePlugin.py +++ b/src/PIL/Jpeg2KImagePlugin.py @@ -285,6 +285,9 @@ def _open(self) -> None: self.fp.seek(pos) except Exception: length = -1 + print("codec", self.codec) + print("tell", self.fp.tell()) + print("length", length) self.tile = [ ImageFile._Tile( diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c index fc927d2f0c0..6277a0ca8d1 100644 --- a/src/libImaging/Jpeg2KDecode.c +++ b/src/libImaging/Jpeg2KDecode.c @@ -47,6 +47,7 @@ j2k_read(void *p_buffer, OPJ_SIZE_T p_nb_bytes, void *p_user_data) { ImagingCodecState state = (ImagingCodecState)p_user_data; size_t len = _imaging_read_pyFd(state->fd, p_buffer, p_nb_bytes); + printf("len %zu\n", len); return len ? len : (OPJ_SIZE_T)-1; } @@ -692,6 +693,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) { opj_setup_decoder(codec, ¶ms); if (!opj_read_header(stream, codec, &image)) { + printf("exit5\n"); state->errcode = IMAGING_CODEC_BROKEN; state->state = J2K_STATE_FAILED; goto quick_exit; @@ -699,6 +701,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) { /* Check that this image is something we can handle */ if (image->numcomps < 1 || image->numcomps > 4) { + printf("exit6\n"); state->errcode = IMAGING_CODEC_BROKEN; state->state = J2K_STATE_FAILED; goto quick_exit; @@ -801,6 +804,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) { &tile_info.nb_comps, &should_continue )) { + printf("exit7\n"); state->errcode = IMAGING_CODEC_BROKEN; state->state = J2K_STATE_FAILED; goto quick_exit; @@ -826,12 +830,14 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) { (OPJ_UINT32)tile_info.y0 < image->y0 || (OPJ_INT32)(tile_info.x1 - image->x0) > im->xsize || (OPJ_INT32)(tile_info.y1 - image->y0) > im->ysize) { + printf("exit8\n"); state->errcode = IMAGING_CODEC_BROKEN; state->state = J2K_STATE_FAILED; goto quick_exit; } if (tile_info.nb_comps != image->numcomps) { + printf("exit8b\n"); state->errcode = IMAGING_CODEC_BROKEN; state->state = J2K_STATE_FAILED; goto quick_exit; @@ -859,6 +865,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) { (tile_height > UINT_MAX / total_component_width) || (tile_width > UINT_MAX / (tile_height * total_component_width)) || (tile_height > UINT_MAX / (tile_width * total_component_width))) { + printf("exit9\n"); state->errcode = IMAGING_CODEC_BROKEN; state->state = J2K_STATE_FAILED; goto quick_exit; @@ -893,6 +900,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) { tile_info.data_size, stream )) { + printf("exit10\n"); state->errcode = IMAGING_CODEC_BROKEN; state->state = J2K_STATE_FAILED; goto quick_exit; @@ -902,6 +910,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) { } if (!opj_end_decompress(codec, stream)) { + printf("exit11\n"); state->errcode = IMAGING_CODEC_BROKEN; state->state = J2K_STATE_FAILED; goto quick_exit; diff --git a/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/j2k.c b/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/j2k.c index 9649f13bf79..3aaa9efdc67 100644 --- a/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/j2k.c +++ b/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/j2k.c @@ -10128,12 +10128,14 @@ OPJ_BOOL opj_j2k_decode_tile(opj_j2k_t * p_j2k, if (!(p_j2k->m_specific_param.m_decoder.m_state & J2K_STATE_DATA) || (p_tile_index != p_j2k->m_current_tile_number)) { + printf("here1\n"); return OPJ_FALSE; } l_tcp = &(p_j2k->m_cp.tcps[p_tile_index]); if (! l_tcp->m_data) { opj_j2k_tcp_destroy(l_tcp); + printf("here2\n"); return OPJ_FALSE; } @@ -10158,6 +10160,7 @@ OPJ_BOOL opj_j2k_decode_tile(opj_j2k_t * p_j2k, opj_j2k_tcp_destroy(l_tcp); p_j2k->m_specific_param.m_decoder.m_state |= J2K_STATE_ERR; opj_event_msg(p_manager, EVT_ERROR, "Failed to decode.\n"); + printf("here3\n"); return OPJ_FALSE; } @@ -10166,6 +10169,7 @@ OPJ_BOOL opj_j2k_decode_tile(opj_j2k_t * p_j2k, /* tile decoding optimization. */ if (p_data != NULL) { if (! opj_tcd_update_tile_data(p_j2k->m_tcd, p_data, p_data_size)) { + printf("here4\n"); return OPJ_FALSE; } @@ -10188,6 +10192,7 @@ OPJ_BOOL opj_j2k_decode_tile(opj_j2k_t * p_j2k, if (opj_stream_read_data(p_stream, l_data, 2, p_manager) != 2) { opj_event_msg(p_manager, p_j2k->m_cp.strict ? EVT_ERROR : EVT_WARNING, "Stream too short\n"); + printf("here5\n"); return p_j2k->m_cp.strict ? OPJ_FALSE : OPJ_TRUE; } opj_read_bytes(l_data, &l_current_marker, 2); @@ -10202,6 +10207,7 @@ OPJ_BOOL opj_j2k_decode_tile(opj_j2k_t * p_j2k, return OPJ_TRUE; } opj_event_msg(p_manager, EVT_ERROR, "Stream too short, expected SOT\n"); + printf("here6\n"); return OPJ_FALSE; } } diff --git a/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/openjpeg.c b/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/openjpeg.c index 1c645d5f7ed..44fa2888bbe 100644 --- a/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/openjpeg.c +++ b/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/openjpeg.c @@ -599,6 +599,7 @@ OPJ_BOOL OPJ_CALLCONV opj_decode_tile_data(opj_codec_t *p_codec, opj_stream_private_t * l_stream = (opj_stream_private_t *) p_stream; if (! l_codec->is_decompressor) { + printf("inside51\n"); return OPJ_FALSE; } @@ -610,6 +611,7 @@ OPJ_BOOL OPJ_CALLCONV opj_decode_tile_data(opj_codec_t *p_codec, l_stream, &(l_codec->m_event_mgr)); } + printf("inside52\n"); return OPJ_FALSE; } diff --git a/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/t2.c b/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/t2.c index 4e8cf601828..b142288d4e1 100644 --- a/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/t2.c +++ b/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/t2.c @@ -427,7 +427,7 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t* tcd, /* create a packet iterator */ l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no, p_manager); if (!l_pi) { - return OPJ_FALSE; + printf("what1\n");return OPJ_FALSE; } @@ -445,13 +445,13 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t* tcd, if (l_current_pi->poc.prg == OPJ_PROG_UNKNOWN) { /* TODO ADE : add an error */ opj_pi_destroy(l_pi, l_nb_pocs); - return OPJ_FALSE; + printf("what2\n");return OPJ_FALSE; } first_pass_failed = (OPJ_BOOL*)opj_malloc(l_image->numcomps * sizeof(OPJ_BOOL)); if (!first_pass_failed) { opj_pi_destroy(l_pi, l_nb_pocs); - return OPJ_FALSE; + printf("what3\n");return OPJ_FALSE; } memset(first_pass_failed, OPJ_TRUE, l_image->numcomps * sizeof(OPJ_BOOL)); @@ -511,7 +511,7 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t* tcd, &l_nb_bytes_read, p_max_len, l_pack_info, p_manager)) { opj_pi_destroy(l_pi, l_nb_pocs); opj_free(first_pass_failed); - return OPJ_FALSE; + printf("what4\n");return OPJ_FALSE; } l_img_comp = &(l_image->comps[l_current_pi->compno]); @@ -523,7 +523,7 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t* tcd, &l_nb_bytes_read, p_max_len, l_pack_info, p_manager)) { opj_pi_destroy(l_pi, l_nb_pocs); opj_free(first_pass_failed); - return OPJ_FALSE; + printf("what5\n");return OPJ_FALSE; } } diff --git a/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/tcd.c b/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/tcd.c index 8ca259b71dc..9adbe1b1064 100644 --- a/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/tcd.c +++ b/winbuild/build/src/openjpeg-2.5.3/src/lib/openjp2/tcd.c @@ -1574,7 +1574,7 @@ OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd, OPJ_BOOL* used_component = (OPJ_BOOL*) opj_calloc(sizeof(OPJ_BOOL), p_tcd->image->numcomps); if (used_component == NULL) { - return OPJ_FALSE; + printf("here3a\n");return OPJ_FALSE; } for (compno = 0; compno < numcomps_to_decode; compno++) { used_component[ comps_indices[compno] ] = OPJ_TRUE; @@ -1613,14 +1613,14 @@ OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd, if (res_h > 0 && res_w > SIZE_MAX / res_h) { opj_event_msg(p_manager, EVT_ERROR, "Size of tile data exceeds system limits\n"); - return OPJ_FALSE; + printf("here3b\n");return OPJ_FALSE; } l_data_size = res_w * res_h; if (SIZE_MAX / sizeof(OPJ_UINT32) < l_data_size) { opj_event_msg(p_manager, EVT_ERROR, "Size of tile data exceeds system limits\n"); - return OPJ_FALSE; + printf("here3c\n");return OPJ_FALSE; } l_data_size *= sizeof(OPJ_UINT32); @@ -1629,7 +1629,7 @@ OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd, if (!opj_alloc_tile_component_data(tilec)) { opj_event_msg(p_manager, EVT_ERROR, "Size of tile data exceeds system limits\n"); - return OPJ_FALSE; + printf("here3d\n");return OPJ_FALSE; } } } else { @@ -1666,7 +1666,7 @@ OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd, /* Upper level logic should not even try to decode that tile */ opj_event_msg(p_manager, EVT_ERROR, "Invalid tilec->win_xxx values\n"); - return OPJ_FALSE; + printf("here3e\n");return OPJ_FALSE; } for (resno = 0; resno < tilec->numresolutions; ++resno) { @@ -1712,7 +1712,7 @@ OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd, l_data_read = 0; if (! opj_tcd_t2_decode(p_tcd, p_src, &l_data_read, p_max_length, p_cstr_index, p_manager)) { - return OPJ_FALSE; + printf("here3f\n");return OPJ_FALSE; } /* FIXME _ProfStop(PGROUP_T2); */ @@ -1720,7 +1720,7 @@ OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd, /* FIXME _ProfStart(PGROUP_T1); */ if (! opj_tcd_t1_decode(p_tcd, p_manager)) { - return OPJ_FALSE; + printf("here3g\n");return OPJ_FALSE; } /* FIXME _ProfStop(PGROUP_T1); */ @@ -1747,13 +1747,13 @@ OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd, if (w > SIZE_MAX / h) { opj_event_msg(p_manager, EVT_ERROR, "Size of tile data exceeds system limits\n"); - return OPJ_FALSE; + printf("here3h\n");return OPJ_FALSE; } l_data_size = w * h; if (l_data_size > SIZE_MAX / sizeof(OPJ_INT32)) { opj_event_msg(p_manager, EVT_ERROR, "Size of tile data exceeds system limits\n"); - return OPJ_FALSE; + printf("here3i\n");return OPJ_FALSE; } l_data_size *= sizeof(OPJ_INT32); @@ -1761,7 +1761,7 @@ OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd, if (tilec->data_win == NULL) { opj_event_msg(p_manager, EVT_ERROR, "Size of tile data exceeds system limits\n"); - return OPJ_FALSE; + printf("here3j\n");return OPJ_FALSE; } } } @@ -1772,7 +1772,7 @@ OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd, /* FIXME _ProfStart(PGROUP_DWT); */ if (! opj_tcd_dwt_decode(p_tcd)) { - return OPJ_FALSE; + printf("here3k\n");return OPJ_FALSE; } /* FIXME _ProfStop(PGROUP_DWT); */ @@ -1780,14 +1780,14 @@ OPJ_BOOL opj_tcd_decode_tile(opj_tcd_t *p_tcd, /* FIXME _ProfStart(PGROUP_MCT); */ if (! opj_tcd_mct_decode(p_tcd, p_manager)) { - return OPJ_FALSE; + printf("here3l\n");return OPJ_FALSE; } /* FIXME _ProfStop(PGROUP_MCT); */ /* FIXME _ProfStart(PGROUP_DC_SHIFT); */ if (! opj_tcd_dc_level_shift_decode(p_tcd)) { - return OPJ_FALSE; + printf("here3m\n");return OPJ_FALSE; } /* FIXME _ProfStop(PGROUP_DC_SHIFT); */ @@ -2018,7 +2018,7 @@ static OPJ_BOOL opj_tcd_t2_decode(opj_tcd_t *p_tcd, l_t2 = opj_t2_create(p_tcd->image, p_tcd->cp); if (l_t2 == 00) { - return OPJ_FALSE; + printf("here3f\1n");return OPJ_FALSE; } if (! opj_t2_decode_packets( @@ -2032,7 +2032,7 @@ static OPJ_BOOL opj_tcd_t2_decode(opj_tcd_t *p_tcd, p_cstr_index, p_manager)) { opj_t2_destroy(l_t2); - return OPJ_FALSE; + printf("here3f2\n");return OPJ_FALSE; } opj_t2_destroy(l_t2);