Out of bound access in cap_mjpeg_encoder.cpp

[nicolasmartin3d]

Workaround: OpenCV 3.4.14: disabled parallel MJPEG encoder

---

System information (version)

• OpenCV => 3.2.0
• Operating System / Platform => Ubuntu 20.04
• Compiler => gcc 9.3.0

Detailed description

While using the cv::VideoWriter to write a MJPEG video, I sometimes get an error that causes an out of memory write/read in cap_mjpeg_encoder.cpp.
Tracking it down with valgrind, I got the following :

==27350== Thread 3:
==27350== Invalid write of size 4
==27350==    at 0x586AA3D: get_data (cap_mjpeg_encoder.cpp:533)
==27350==    by 0x586AA3D: cv::mjpeg::MotionJpegWriter::writeFrameData(unsigned char const*, int, int, int) (cap_mjpeg_encoder.cpp:1867)
==27350==    by 0x586D5A9: cv::mjpeg::MotionJpegWriter::write(cv::_InputArray const&) (cap_mjpeg_encoder.cpp:843)
==27350==    by 0x5866DD8: cv::VideoWriter::write(cv::Mat const&) (cap.cpp:776)

Looking at the code, there is even a warning :

        //bits == 0 means that last element shouldn't be used.
        m_output_buffer[m_data_len++] = currval;

And indeed, patching the code with :

        //bits == 0 means that last element shouldn't be used.
        if (bits != 0) m_output_buffer[m_data_len++] = currval;

I don't get the issue anymore.

Steps to reproduce

If needed, I could try to produce a MWE.

Issue submission checklist

• I report the issue, it's not a question
• I checked the problem with documentation, FAQ, open issues,
  forum.opencv.org, Stack Overflow, etc and have not found solution
• I updated to latest OpenCV version and the issue is still there
• There is reproducer code and related data files: videos, images, onnx, etc

[alalek]

Thank you for the report!
Could you please share frames to reproduce this problem locally?

[alalek]

if (bits != 0)

This fix is not enough.
ffplay starts emit error messages on created files.

    Size frame_size(320, 240);
    VideoWriter writer("test.avi", CAP_OPENCV_MJPEG, VideoWriter::fourcc('M', 'J', 'P', 'G'), 30, frame_size, true);

    for (int i = 0; i < 1000; i++)
    {
        Mat frame(frame_size, CV_8UC3, Scalar::all(0));
        cv::randu(frame, 0, 256);
        writer.write(frame);
    }

[alalek]

Reproducer is still necessary.

Currently we disabled parallel MJPEG encoding: #19812

[alalek]

If needed, I could try to produce a MWE.

@nicolasmartin3d Do you have a reproducer (with frames data if necessary) for this problem?

[nicolasmartin3d]

Sure, where should I upload ?

[alalek]

Attach files (or .zip archive) to the comment or the initial post.

[nicolasmartin3d]

Sorry for the delay !
I attached a simple reproducer for this bug in test_color.cpp.

Note that it also contains an (probably unrelated) other simple code (test_gray.cpp) that saves a MJPEG video of the frames converted in gray level. In this case, the program does not crash but the video is NOT correct. Does the MJPEG encoder supports saving gray level videos ? Tell me if I should open a separate issue for this one.

opencv_bug.zip