[1.5] missing range check in j2k_read_coc et al.

Fixes issue 166

1 files changed, 21 insertions, 1 deletions

diff --git a/libopenjpeg/j2k.c b/libopenjpeg/j2k.c
index 2900e911..77acfe09 100644
--- a/libopenjpeg/j2k.c
+++ b/libopenjpeg/j2k.c
@@ -835,6 +835,12 @@ static void j2k_read_coc(opj_j2k_t *j2k) {
 	
 	len = cio_read(cio, 2);		/* Lcoc */
 	compno = cio_read(cio, image->numcomps <= 256 ? 1 : 2);	/* Ccoc */
+  if (compno >= image->numcomps) {
+    opj_event_msg(j2k->cinfo, EVT_ERROR,
+      "bad component number in COC (%d out of a maximum of %d)\n",
+      compno, image->numcomps);
+    return;
+  }
 	tcp->tccps[compno].csty = cio_read(cio, 1);	/* Scoc */
 	j2k_read_cox(j2k, compno);
 }
@@ -1016,9 +1022,16 @@ static void j2k_read_qcc(opj_j2k_t *j2k) {
 
 		/* keep your private count of tiles */
 		backup_compno++;
-	};
+	}
 #endif /* USE_JPWL */
 
+  if ((compno < 0) || (compno >= numcomp)) {
+    opj_event_msg(j2k->cinfo, EVT_ERROR,
+      "bad component number in QCC (%d out of a maximum of %d)\n",
+      compno, j2k->image->numcomps);
+    return;
+  }
+
 	j2k_read_qcx(j2k, compno, len - 2 - (numcomp <= 256 ? 1 : 2));
 }
 
@@ -1602,6 +1615,13 @@ static void j2k_read_rgn(opj_j2k_t *j2k) {
 	};
 #endif /* USE_JPWL */
 
+  if (compno >= numcomps) {
+    opj_event_msg(j2k->cinfo, EVT_ERROR,
+      "bad component number in RGN (%d out of a maximum of %d)\n",
+      compno, j2k->image->numcomps);
+    return;
+  }
+
 	tcp->tccps[compno].roishift = cio_read(cio, 1);				/* SPrgn */
 }