issue #695 MQ Encode: ensure that bp pointer never points to uninitialized memory

author: Aaron Boxer <boxerab@gmail.com> 2016-01-28 19:34:00 -0500
committer: Aaron Boxer <boxerab@gmail.com> 2016-01-28 19:34:00 -0500
commit: e3100f714c2bae3da26877020048e2cf5906172b (patch)
tree: 09597c3a1b32d2f286453d0443968dc118eb2965 /src
parent: 5c5ae1d51a3b5a1c4e68ae0323f7a14d7628f465 (diff)
1 files changed, 3 insertions, 5 deletions
diff --git a/src/lib/openjp2/mqc.c b/src/lib/openjp2/mqc.c
index 7e0f5637..e6e4cc87 100644
--- a/src/lib/openjp2/mqc.c
+++ b/src/lib/openjp2/mqc.c
@@ -203,13 +203,14 @@ static opj_mqc_state_t mqc_states[47 * 2] = {
 */
 
 static void opj_mqc_byteout(opj_mqc_t *mqc) {
-	if (*mqc->bp == 0xff) {
+	OPJ_BYTE bp_in_bounds = (mqc->bp >= mqc->start);
+	if (bp_in_bounds & (*mqc->bp == 0xff)) {
 		mqc->bp++;
 		*mqc->bp = (OPJ_BYTE)(mqc->c >> 20);
 		mqc->c &= 0xfffff;
 		mqc->ct = 7;
 	} else {
-		if ((mqc->c & 0x8000000) == 0) {	/* ((mqc->c&0x8000000)==0) CHANGE */
+		if ((bp_in_bounds ^ 1) | ((mqc->c & 0x8000000) == 0)) {	
 			mqc->bp++;
 			*mqc->bp = (OPJ_BYTE)(mqc->c >> 19);
 			mqc->c &= 0x7ffff;
@@ -395,9 +396,6 @@ void opj_mqc_init_enc(opj_mqc_t *mqc, OPJ_BYTE *bp) {
 	mqc->c = 0;
 	mqc->bp = bp - 1;
 	mqc->ct = 12;
-	if (*mqc->bp == 0xff) {
-		mqc->ct = 13;
-	}
 	mqc->start = bp;
 }
author	Aaron Boxer <boxerab@gmail.com>	2016-01-28 19:34:00 -0500
committer	Aaron Boxer <boxerab@gmail.com>	2016-01-28 19:34:00 -0500
commit	e3100f714c2bae3da26877020048e2cf5906172b (patch)
tree	09597c3a1b32d2f286453d0443968dc118eb2965 /src
parent	5c5ae1d51a3b5a1c4e68ae0323f7a14d7628f465 (diff)