From 00bd500b2740110eeed09adc25df6baaba82232c Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Wed, 31 Oct 2018 15:56:11 +0100
Subject: [PATCH] openjp2/jp2: Validate all SGcod and SPcod parameters.

Previously the multiple component transformation SGcod(C)
and wavelet transformation (SPcod(H) parameter values were
never checked, which allowed for out of range values.

The lack of validation allowed the provided codestream in
issue #1158 through, but after this commit there is an error.
---
 src/lib/openjp2/j2k.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index 4169cd672..b3532854b 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -2714,6 +2714,11 @@ static OPJ_BOOL opj_j2k_read_cod(opj_j2k_t *p_j2k,
     opj_read_bytes(p_header_data, &l_tcp->mct, 1);          /* SGcod (C) */
     ++p_header_data;
 
+    if (l_tcp->mct > 1) {
+        opj_event_msg(p_manager, EVT_ERROR, "Invalid multiple component transformation\n");
+        return OPJ_FALSE;
+    }
+
     p_header_size -= 5;
     for (i = 0; i < l_image->numcomps; ++i) {
         l_tcp->tccps[i].csty = l_tcp->csty & J2K_CCP_CSTY_PRT;
@@ -9804,6 +9809,12 @@ static OPJ_BOOL opj_j2k_read_SPCod_SPCoc(opj_j2k_t *p_j2k,
     opj_read_bytes(l_current_ptr, &l_tccp->qmfbid, 1);              /* SPcoc (H) */
     ++l_current_ptr;
 
+    if (l_tccp->qmfbid > 1) {
+        opj_event_msg(p_manager, EVT_ERROR,
+                      "Error reading SPCod SPCoc element, Invalid transformation found\n");
+        return OPJ_FALSE;
+    }
+
     *p_header_size = *p_header_size - 5;
 
     /* use custom precinct size ? */