From 4776f4847774ca346da4d07d13c193f910d5cdeb Mon Sep 17 00:00:00 2001
From: Mathieu Malaterre <mathieu.malaterre@gmail.com>
Date: Mon, 10 Sep 2012 11:16:55 +0000
Subject: [PATCH] [1.5] Fix Heap-based buffer-overflow when decoding openjpeg
 image

Thanks to Huzaifa Sidhpurwala of Red Hat Security Response Team for dataset to reproduce the issue.
Fixes issue 170
---
 libopenjpeg/j2k.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libopenjpeg/j2k.c b/libopenjpeg/j2k.c
index 093d3c5c..3f8e2790 100644
--- a/libopenjpeg/j2k.c
+++ b/libopenjpeg/j2k.c
@@ -694,6 +694,12 @@ static void j2k_read_cox(opj_j2k_t *j2k, int compno) {
 					"of resolutions of this component\nModify the cp_reduce parameter.\n\n", compno);
 		j2k->state |= J2K_STATE_ERR;
 	}
+  if( tccp->numresolutions > J2K_MAXRLVLS ) {
+    opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n",
+      compno, tccp->numresolutions, J2K_MAXRLVLS);
+		j2k->state |= J2K_STATE_ERR;
+    tccp->numresolutions = J2K_MAXRLVLS;
+ }
 
 	tccp->cblkw = cio_read(cio, 1) + 2;	/* SPcox (E) */
 	tccp->cblkh = cio_read(cio, 1) + 2;	/* SPcox (F) */