j2kdec & jpeg2000dec: check lengthinc against array size

Fixes out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-05-22 04:05:36 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2013-05-22 04:18:38 +0200
commit: 914ab4cd1c59eae10771f2d6a892ec6b6f36b0e2 (patch)
tree: d112cad05b0fb5449875df81c686303392fcadd5 /libavcodec/j2kdec.c
parent: 17e66c9ff4774e254932d34dade77b1c04139a4f (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c
index a02b84b820..f4b7e3e88b 100644
--- a/libavcodec/j2kdec.c
+++ b/libavcodec/j2kdec.c
@@ -577,7 +577,9 @@ static int decode_packet(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty,
             int xi;
             for (xi = band->prec[precno].xi0; xi < band->prec[precno].xi1; xi++){
                 Jpeg2000Cblk *cblk = band->cblk + yi * cblknw + xi;
-                if (bytestream2_get_bytes_left(&s->g) < cblk->lengthinc)
+                if (   bytestream2_get_bytes_left(&s->g) < cblk->lengthinc
+                    || sizeof(cblk->data) < cblk->lengthinc
+                )
                     return AVERROR(EINVAL);
                 bytestream2_get_bufferu(&s->g, cblk->data, cblk->lengthinc);
                 cblk->length += cblk->lengthinc;
author	Michael Niedermayer <michaelni@gmx.at>	2013-05-22 04:05:36 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2013-05-22 04:18:38 +0200
commit	914ab4cd1c59eae10771f2d6a892ec6b6f36b0e2 (patch)
tree	d112cad05b0fb5449875df81c686303392fcadd5 /libavcodec/j2kdec.c
parent	17e66c9ff4774e254932d34dade77b1c04139a4f (diff)