j2kdec: Fix crash in get_qcx

Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 282bb02839b1ce73963c8e3ee46804f1ade8b12a) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2011-12-24 06:17:12 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-01-03 22:31:06 +0100
commit: 3073564a974caa90d2594695df946c30a6b1790b (patch)
tree: 060b1a553f0b26dceb1b42ff7e280a75d6ca02d4
parent: 5e3389b7427639597acb970c5cb65d3f8ddb7211 (diff)
download: ffmpeg-3073564a974caa90d2594695df946c30a6b1790b.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c
index 4e11030cb8..e35c97d860 100644
--- a/libavcodec/j2kdec.c
+++ b/libavcodec/j2kdec.c
@@ -365,7 +365,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q)
 
     if (q->quantsty == J2K_QSTY_NONE){
         n -= 3;
-        if (s->buf_end - s->buf < n)
+        if (s->buf_end - s->buf < n || 32*3 < n)
             return AVERROR(EINVAL);
         for (i = 0; i < n; i++)
             q->expn[i] = bytestream_get_byte(&s->buf) >> 3;
@@ -382,7 +382,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q)
         }
     } else{
         n = (n - 3) >> 1;
-        if (s->buf_end - s->buf < n)
+        if (s->buf_end - s->buf < n || 32*3 < n)
             return AVERROR(EINVAL);
         for (i = 0; i < n; i++){
             x = bytestream_get_be16(&s->buf);
author	Michael Niedermayer <michaelni@gmx.at>	2011-12-24 06:17:12 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-01-03 22:31:06 +0100
commit	3073564a974caa90d2594695df946c30a6b1790b (patch)
tree	060b1a553f0b26dceb1b42ff7e280a75d6ca02d4
parent	5e3389b7427639597acb970c5cb65d3f8ddb7211 (diff)
download	ffmpeg-3073564a974caa90d2594695df946c30a6b1790b.tar.gz