From 533d92aa8e586dfd35cba92f467261ea400871eb Mon Sep 17 00:00:00 2001
From: Mathieu Malaterre <mathieu.malaterre@gmail.com>
Date: Wed, 26 Feb 2014 11:21:18 +0000
Subject: [PATCH] [trunk] Import patch from sumatrapdf team. This handle some
 testcase with no input dataset, but changes looks ok. Update issue 225

---
 src/lib/openjp2/jp2.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c
index 3678be67..0af1f960 100644
--- a/src/lib/openjp2/jp2.c
+++ b/src/lib/openjp2/jp2.c
@@ -980,6 +980,11 @@ OPJ_BOOL opj_jp2_read_pclr(	opj_jp2_t *jp2,
 		for(i = 0; i < nr_channels; ++i) {
 			OPJ_INT32 bytes_to_read = (channel_size[i]+7)>>3;
 
+			if (bytes_to_read > sizeof(OPJ_UINT32))
+				bytes_to_read = sizeof(OPJ_UINT32);
+			if ((ptrdiff_t)p_pclr_header_size < p_pclr_header_data - orig_header_data + bytes_to_read)
+				return OPJ_FALSE;
+
 			if (bytes_to_read > sizeof(OPJ_UINT32))
 				bytes_to_read = sizeof(OPJ_UINT32);
 			if ((ptrdiff_t)p_pclr_header_size < p_pclr_header_data - orig_header_data + bytes_to_read)
@@ -1031,6 +1036,11 @@ OPJ_BOOL opj_jp2_read_cmap(	opj_jp2_t * jp2,
 		return OPJ_FALSE;
 	}
 
+	if (p_cmap_header_size < (OPJ_UINT32)nr_channels * 4) {
+		opj_event_msg(p_manager, EVT_ERROR, "Insufficient data for CMAP box.\n");
+		return OPJ_FALSE;
+	}
+
 	cmap = (opj_jp2_cmap_comp_t*) opj_malloc(nr_channels * sizeof(opj_jp2_cmap_comp_t));
     if (!cmap)
         return OPJ_FALSE;
@@ -1122,6 +1132,11 @@ OPJ_BOOL opj_jp2_read_cdef(	opj_jp2_t * jp2,
 		return OPJ_FALSE;
 	}
 
+	if (p_cdef_header_size < 2) {
+		opj_event_msg(p_manager, EVT_ERROR, "Insufficient data for CDEF box.\n");
+		return OPJ_FALSE;
+	}
+
 	opj_read_bytes(p_cdef_header_data,&l_value ,2);			/* N */
 	p_cdef_header_data+= 2;
 
@@ -1135,6 +1150,11 @@ OPJ_BOOL opj_jp2_read_cdef(	opj_jp2_t * jp2,
 		return OPJ_FALSE;
 	}
 
+	if (p_cdef_header_size < 2 + (OPJ_UINT32)(OPJ_UINT16)l_value * 6) {
+		opj_event_msg(p_manager, EVT_ERROR, "Insufficient data for CDEF box.\n");
+		return OPJ_FALSE;
+	}
+
 	cdef_info = (opj_jp2_cdef_info_t*) opj_malloc(l_value * sizeof(opj_jp2_cdef_info_t));
     if (!cdef_info)
         return OPJ_FALSE;