244529 – [WPE][GTK] Crash decoding JPEG2000 images which use sub-sampling

Bug 244529 - [WPE][GTK] Crash decoding JPEG2000 images which use sub-sampling

Summary: [WPE][GTK] Crash decoding JPEG2000 images which use sub-sampling

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Images (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-08-30 01:23 PDT by Adrian Perez
Modified:	2022-08-30 01:27 PDT (History)
CC List:	2 users (show)

See Also:	178758 186272

Attachments
Sample image, JP2 format (100.92 KB, image/jp2) 2022-08-30 01:23 PDT, Adrian Perez	no flags	Details
Original image, PNG format (128.81 KB, image/png) 2022-08-30 01:24 PDT, Adrian Perez	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adrian Perez 2022-08-30 01:23:51 PDT

Created attachment 462002 [details]
Sample image, JP2 format

Any JPEG2000 image which uses 2x2 subsampling will cause a crash when
decoding it with WebKitGTK/WPE. I am attaching a sample image which
can be used to reproduce the issue, created with:

  % opj_compress -i haisuli.png -o haisuli.jp2 -s 2,2

(The “opj_compress” tool is par of the OpenJPEG package.)

Comment 1 Adrian Perez 2022-08-30 01:24:32 PDT

Created attachment 462003 [details]
Original image, PNG format

This is the image used as source to generate the JP2 with “opj_compress”.

Comment 2 Adrian Perez 2022-08-30 01:26:42 PDT

Stack backtrace:

#0  WebCore::JPEG2000ImageDecoder::decode () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/image-decoders/jpeg2000/JPEG2000ImageDecoder.cpp:523
Downloading 0.02 MB source file /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/image-decoders/jpeg2000/JPEG2000ImageDecoder.cpp
523                 g = image->comps[1].data[offset];
[Current thread is 1 (Thread 0x7f38f0246000 (LWP 2))]
(gdb) bt
#0  WebCore::JPEG2000ImageDecoder::decode(bool, bool) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/image-decoders/jpeg2000/JPEG2000ImageDecoder.cpp:523
#1  0x00007f38f7abe52b in WebCore::JPEG2000ImageDecoder::frameBufferAtIndex(unsigned long) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/image-decoders/jpeg2000/JPEG2000ImageDecoder.cpp:354
#2  0x00007f38f7aaed82 in WebCore::ScalableImageDecoder::createFrameImageAtIndex(unsigned long, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&) ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/image-decoders/ScalableImageDecoder.cpp:245
#3  0x00007f38f8b7b17a in WebCore::ImageSource::frameAtIndexCacheIfNeeded(unsigned long, WebCore::ImageFrame::Caching, std::optional<WebCore::SubsamplingLevel> const&) ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/ImageSource.cpp:457
#4  WebCore::ImageSource::frameAtIndexCacheIfNeeded(unsigned long, WebCore::ImageFrame::Caching, std::optional<WebCore::SubsamplingLevel> const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/ImageSource.cpp:433
#5  WebCore::ImageSource::frameImageAtIndexCacheIfNeeded(unsigned long, WebCore::SubsamplingLevel) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/ImageSource.cpp:705
#6  WebCore::BitmapImage::frameImageAtIndexCacheIfNeeded(unsigned long, WebCore::SubsamplingLevel) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/BitmapImage.cpp:137
#7  0x00007f38f8b843fa in WebCore::BitmapImage::draw(WebCore::GraphicsContext&, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/BitmapImage.cpp:302
#8  0x00007f38f8baec6e in WebCore::GraphicsContext::drawImage(WebCore::Image&, WebCore::FloatRect const&, WebCore::ImagePaintingOptions const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/GraphicsContext.cpp:649
#9  0x00007f38f8d4fea4 in WebCore::RenderImage::paintIntoRect(WebCore::PaintInfo&, WebCore::FloatRect const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderImage.cpp:689
#10 0x00007f38f8d686ca in WebCore::RenderImage::paintReplaced(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderImage.cpp:578
#11 0x00007f38f8dc3564 in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderReplaced.cpp:279
#12 0x00007f38f8d68c43 in WebCore::RenderImage::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderImage.cpp:596
#13 0x00007f38f8cbd39e in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1203
#14 0x00007f38f8c7b755 in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1167
#15 0x00007f38f8cdc931 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1160
#16 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1135
#17 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1319
#18 0x00007f38f8c7b566 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1123
#19 0x00007f38f8cbd39e in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1203
#20 0x00007f38f8c7b755 in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1167
#21 0x00007f38f8cdc931 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1160
#22 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1135
#23 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1319
#24 0x00007f38f8c7b566 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderBlock.cpp:1123
#25 0x00007f38f8d4a2e7 in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderLayer.cpp:3928
#26 0x00007f38f8d71e6d in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderLayer.cpp:3905
#27 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderLayer.cpp:3486
#28 0x00007f38f8d742f5 in WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderLayer.cpp:3603
#29 0x00007f38f8d711e2 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderLayer.cpp:3502
#30 0x00007f38f8d84a25 in operator() () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderLayerBacking.cpp:3248
#31 WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::EventRegionContext*) ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderLayerBacking.cpp:3266
#32 0x00007f38f8d8552d in WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/rendering/RenderLayerBacking.cpp:3527
#33 0x00007f38f7ac61fe in WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/GraphicsLayer.cpp:541
#34 operator() () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/nicosia/NicosiaPaintingEngineBasic.cpp:66
#35 paint<Nicosia::PaintingEngineBasic::paint(WebCore::GraphicsLayer&, WTF::Ref<Nicosia::Buffer>&&, const WebCore::IntRect&, const WebCore::IntRect&, const WebCore::IntRect&, float)::<lambda(WebCore::GraphicsContext&)> > ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/nicosia/NicosiaPaintingContext.h:49
#36 Nicosia::PaintingEngineBasic::paint(WebCore::GraphicsLayer&, WTF::Ref<Nicosia::Buffer, WTF::RawPtrTraits<Nicosia::Buffer> >&&, WebCore::IntRect const&, WebCore::IntRect const&, WebCore::IntRect const&, float) ()
    at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/nicosia/NicosiaPaintingEngineBasic.cpp:49
#37 0x00007f38f7ae1fc8 in WebCore::CoordinatedGraphicsLayer::updateContentBuffers() () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:1177
#38 0x00007f38f7ae364e in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:1091
--Type <RET> for more, q to quit, c to continue without paging--c
#39 WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:1094
#40 WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:1094
#41 WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:1094
#42 WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:1094
#43 0x00007f38f7a0a626 in WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() () at /usr/src/debug/webkitgtk-2.36.7/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:1094
#44 WebKit::CompositingCoordinator::flushPendingLayerChanges(WTF::OptionSet<WebCore::FinalizeRenderingUpdateFlags>) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:136
#45 0x00007f38f7a10e3a in WebKit::LayerTreeHost::layerFlushTimerFired() () at /usr/src/debug/webkitgtk-2.36.7/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:157
#46 0x00007f38f61d73f0 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) () at /usr/src/debug/webkitgtk-2.36.7/Source/WTF/wtf/glib/RunLoopGLib.cpp:177
#47 0x00007f38f620e706 in operator() () at /usr/src/debug/webkitgtk-2.36.7/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#48 _FUN() () at /usr/src/debug/webkitgtk-2.36.7/Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#49 0x00007f38f6965c6b in g_main_dispatch (context=0x55aec803f320) at ../glib/glib/gmain.c:3417
#50 g_main_context_dispatch (context=0x55aec803f320) at ../glib/glib/gmain.c:4135
#51 0x00007f38f69bc001 in g_main_context_iterate.constprop.0 (context=0x55aec803f320, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/glib/gmain.c:4211
#52 0x00007f38f69651cf in g_main_loop_run (loop=0x55aec8127610) at ../glib/glib/gmain.c:4411
#53 0x00007f38f61fb812 in WTF::RunLoop::run() () at /usr/src/debug/webkitgtk-2.36.7/Source/WTF/wtf/glib/RunLoopGLib.cpp:108
#54 0x00007f38f79f0843 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebKit/Shared/AuxiliaryProcessMain.h:70
#55 WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebKit/Shared/AuxiliaryProcessMain.h:57
#56 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebKit/Shared/AuxiliaryProcessMain.h:96
#57 WebKit::WebProcessMain(int, char**) () at /usr/src/debug/webkitgtk-2.36.7/Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:98
#58 0x00007f38f6c3c2d0 in __libc_start_call_main (main=main@entry=0x55aec7a83020 <main()>, argc=argc@entry=3, argv=argv@entry=0x7ffce61ac798) at ../sysdeps/nptl/libc_start_call_main.h:58
#59 0x00007f38f6c3c38a in __libc_start_main_impl (main=0x55aec7a83020 <main()>, argc=3, argv=0x7ffce61ac798, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffce61ac788) at ../csu/libc-start.c:381
#60 0x000055aec7a83055 in _start () at ../sysdeps/x86_64/start.S:115
(gdb)

Comment 3 Adrian Perez 2022-08-30 01:27:37 PDT

(In reply to Adrian Perez from comment #0)
> Created attachment 462002 [details]
> Sample image, JP2 format
> 
> Any JPEG2000 image which uses 2x2 subsampling will cause a crash when
> decoding it with WebKitGTK/WPE. I am attaching a sample image which
> can be used to reproduce the issue, created with:
> 
>   % opj_compress -i haisuli.png -o haisuli.jp2 -s 2,2
> 
> (The “opj_compress” tool is par of the OpenJPEG package.)

GIMP opens the sample image just fine, using exactly the same build of
the OpenJPEG library as WebKit.