j2kdec & jpeg2000dec: check lengthinc against array size

Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

2 files changed, 6 insertions, 2 deletions

diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c
index a02b84b820..f4b7e3e88b 100644
--- a/libavcodec/j2kdec.c
+++ b/libavcodec/j2kdec.c
@@ -577,7 +577,9 @@ static int decode_packet(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty,
             int xi;
             for (xi = band->prec[precno].xi0; xi < band->prec[precno].xi1; xi++){
                 Jpeg2000Cblk *cblk = band->cblk + yi * cblknw + xi;
-                if (bytestream2_get_bytes_left(&s->g) < cblk->lengthinc)
+                if (   bytestream2_get_bytes_left(&s->g) < cblk->lengthinc
+                    || sizeof(cblk->data) < cblk->lengthinc
+                )
                     return AVERROR(EINVAL);
                 bytestream2_get_bufferu(&s->g, cblk->data, cblk->lengthinc);
                 cblk->length += cblk->lengthinc;
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 0735da12f0..3992515c70 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -643,7 +643,9 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s,
         nb_code_blocks = prec->nb_codeblocks_height * prec->nb_codeblocks_width;
         for (cblkno = 0; cblkno < nb_code_blocks; cblkno++) {
             Jpeg2000Cblk *cblk = prec->cblk + cblkno;
-            if (bytestream2_get_bytes_left(&s->g) < cblk->lengthinc)
+            if (   bytestream2_get_bytes_left(&s->g) < cblk->lengthinc
+                || sizeof(cblk->data) < cblk->lengthinc
+            )
                 return AVERROR(EINVAL);
             /* Code-block data can be empty. In that case initialize data
              * with 0xFFFF. */