From 70fed019ae4f78582d0ab17a38688e8bce409f21 Mon Sep 17 00:00:00 2001
From: Andrey Kamaev <andrey.kamaev@itseez.com>
Date: Wed, 29 Aug 2012 02:03:20 +0400
Subject: [PATCH] Apply 03-CVE-2011-4516-and-CVE-2011-4517 patch from debian
 libjasper-dev (1.900.1-13) package

---
 3rdparty/libjasper/jpc_cs.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/3rdparty/libjasper/jpc_cs.c b/3rdparty/libjasper/jpc_cs.c
index 85378d6..97d607e 100644
--- a/3rdparty/libjasper/jpc_cs.c
+++ b/3rdparty/libjasper/jpc_cs.c
@@ -743,6 +743,10 @@ static int jpc_cox_getcompparms(jpc_ms_t *ms, jpc_cstate_t *cstate,
 		return -1;
 	}
 	compparms->numrlvls = compparms->numdlvls + 1;
+	if (compparms->numrlvls > JPC_MAXRLVLS) {
+		jpc_cox_destroycompparms(compparms);
+		return -1;
+	}
 	if (prtflag) {
 		for (i = 0; i < compparms->numrlvls; ++i) {
 			if (jpc_getuint8(in, &tmp)) {
@@ -1330,7 +1334,7 @@ static int jpc_crg_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, jas_stream_t *in
 	jpc_crgcomp_t *comp;
 	uint_fast16_t compno;
 	crg->numcomps = cstate->numcomps;
-	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(uint_fast16_t)))) {
+	if (!(crg->comps = jas_alloc2(cstate->numcomps, sizeof(jpc_crgcomp_t)))) {
 		return -1;
 	}
 	for (compno = 0, comp = crg->comps; compno < cstate->numcomps;
-- 
2.7.4