cc9aa80
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
cc9aa80
index 0de088d..6310c08 100644
cc9aa80
--- a/src/jp2image.cpp
cc9aa80
+++ b/src/jp2image.cpp
cc9aa80
@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m)
cc9aa80
         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
cc9aa80
         int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
cc9aa80
         int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
cc9aa80
+        enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
cc9aa80
         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
cc9aa80
         int32_t       length = getLong((byte*)&pBox->length, bigEndian);
cc9aa80
+        enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
cc9aa80
         int32_t       count  = sizeof (Jp2BoxHeader);
cc9aa80
         char*         p      = (char*) boxBuf.pData_;
cc9aa80
         bool          bWroteColor = false ;
cc9aa80
 
cc9aa80
         while ( count < length || !bWroteColor ) {
cc9aa80
+            enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
cc9aa80
             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
cc9aa80
 
cc9aa80
             // copy data.  pointer could be into a memory mapped file which we will decode!