diff -urNp old/src/libjasper/jpc/jpc_cs.c new/src/libjasper/jpc/jpc_cs.c
--- old/src/libjasper/jpc/jpc_cs.c 2018-06-21 09:16:03.401642013 +0200
+++ new/src/libjasper/jpc/jpc_cs.c 2018-06-21 09:36:47.278110112 +0200
@@ -782,29 +782,37 @@ static int jpc_cox_getcompparms(jpc_ms_t
jpc_getuint8(in, &compparms->qmfbid)) {
return -1;
}
+ if (compparms->numdlvls > 32) {
+ goto error;
+ }
+ if (compparms->qmfbid != JPC_COX_INS &&
+ compparms->qmfbid != JPC_COX_RFT)
+ goto error;
compparms->numrlvls = compparms->numdlvls + 1;
if (compparms->numrlvls > JPC_MAXRLVLS) {
- jpc_cox_destroycompparms(compparms);
- return -1;
+ goto error;
}
if (prtflag) {
for (i = 0; i < compparms->numrlvls; ++i) {
if (jpc_getuint8(in, &tmp)) {
- jpc_cox_destroycompparms(compparms);
- return -1;
+ goto error;
}
compparms->rlvls[i].parwidthval = tmp & 0xf;
compparms->rlvls[i].parheightval = (tmp >> 4) & 0xf;
}
-/* Sigh. This bit should be in the same field in both COC and COD mrk segs. */
-compparms->csty |= JPC_COX_PRT;
- } else {
+ /* Sigh.
+ This bit should be in the same field in both COC and COD mrk segs. */
+ compparms->csty |= JPC_COX_PRT;
}
if (jas_stream_eof(in)) {
- jpc_cox_destroycompparms(compparms);
- return -1;
+ goto error;
}
return 0;
+error:
+ if (compparms) {
+ jpc_cox_destroycompparms(compparms);
+ }
+ return -1;
}
static int jpc_cox_putcompparms(jpc_ms_t *ms, jpc_cstate_t *cstate,