Index: libopenjpeg/j2k.c
===================================================================
--- libopenjpeg/j2k.c (revision 2032)
+++ libopenjpeg/j2k.c (revision 2033)
@@ -835,6 +835,12 @@
len = cio_read(cio, 2); /* Lcoc */
compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2); /* Ccoc */
+ if (compno >= image->numcomps) {
+ opj_event_msg(j2k->cinfo, EVT_ERROR,
+ "bad component number in COC (%d out of a maximum of %d)\n",
+ compno, image->numcomps);
+ return;
+ }
tcp->tccps[compno].csty = cio_read(cio, 1); /* Scoc */
j2k_read_cox(j2k, compno);
}
@@ -1016,9 +1022,16 @@
/* keep your private count of tiles */
backup_compno++;
- };
+ }
#endif /* USE_JPWL */
+ if ((compno < 0) || (compno >= numcomp)) {
+ opj_event_msg(j2k->cinfo, EVT_ERROR,
+ "bad component number in QCC (%d out of a maximum of %d)\n",
+ compno, j2k->image->numcomps);
+ return;
+ }
+
j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2));
}
@@ -1602,6 +1615,13 @@
};
#endif /* USE_JPWL */
+ if (compno >= numcomps) {
+ opj_event_msg(j2k->cinfo, EVT_ERROR,
+ "bad component number in RGN (%d out of a maximum of %d)\n",
+ compno, j2k->image->numcomps);
+ return;
+ }
+
tcp->tccps[compno].roishift = cio_read(cio, 1); /* SPrgn */
}