From ab4de904e7dc1deee83122cd2bf6e0e7f4eb2eb0 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 16 Aug 2017 13:11:36 +0200
Subject: [PATCH] imagetotga(): fix read heap buffer overflow if numcomps < 3
 (#987)

---
 src/bin/jp2/convert.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
index e2e16027..a4eb81f6 100644
--- a/src/bin/jp2/convert.c
+++ b/src/bin/jp2/convert.c
@@ -941,7 +941,7 @@ int imagetotga(opj_image_t * image, const char *outfile)
     int width, height, bpp, x, y;
     OPJ_BOOL write_alpha;
     unsigned int i;
-    int adjustR, adjustG, adjustB, fails;
+    int adjustR, adjustG = 0, adjustB = 0, fails;
     unsigned int alpha_channel;
     float r, g, b, a;
     unsigned char value;
@@ -986,8 +986,10 @@ int imagetotga(opj_image_t * image, const char *outfile)
     scale = 255.0f / (float)((1 << image->comps[0].prec) - 1);
 
     adjustR = (image->comps[0].sgnd ? 1 << (image->comps[0].prec - 1) : 0);
-    adjustG = (image->comps[1].sgnd ? 1 << (image->comps[1].prec - 1) : 0);
-    adjustB = (image->comps[2].sgnd ? 1 << (image->comps[2].prec - 1) : 0);
+    if (image->numcomps >= 3) {
+        adjustG = (image->comps[1].sgnd ? 1 << (image->comps[1].prec - 1) : 0);
+        adjustB = (image->comps[2].sgnd ? 1 << (image->comps[2].prec - 1) : 0);
+    }
 
     for (y = 0; y < height; y++) {
         unsigned int index = (unsigned int)(y * width);