jp2_dec: fix numchans mixup

When iterating over `dec->cdef->data.cdef.ents`, we need to use its `numchans` variable, not the one in `jp2_dec_t`. Fixes CVE-2018-19543 Fixes CVE-2017-9782 Closes #13 Closes #18 Closes jasper-software/jasper#140 Closes jasper-software/jasper#182
jasper-maint · Jun 28, 2020 · 839b1bc · 839b1bc
1 parent 24453e7
commit 839b1bc
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c
@@ -400,7 +400,7 @@ jas_image_t *jp2_decode(jas_stream_t *in, const char *optstr)
 
 	/* Determine the type of each component. */
 	if (dec->cdef) {
-		for (i = 0; i < dec->numchans; ++i) {
+		for (i = 0; i < dec->cdef->data.cdef.numchans; ++i) {
 			/* Is the channel number reasonable? */
 			if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
 				jas_eprintf("error: invalid channel number in CDEF box\n");