From cf04af2086be105ff86088357b83d672d38417d9 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 1 Jul 2013 10:01:15 +0200
Subject: [PATCH 1/3] jpeg2000: Check that we have enough components for MCT

Avoid overread.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/jpeg2000dec.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index d0608f97f4..2abba868a4 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -343,6 +343,13 @@ static int get_cod(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *c,
     tmp.nlayers    = bytestream2_get_be16u(&s->g);
     tmp.mct        = bytestream2_get_byteu(&s->g); // multiple component transformation
 
+    if (tmp.mct && s->ncomponents < 3) {
+        av_log(s->avctx, AV_LOG_ERROR,
+               "MCT %d with too few components (%d)\n",
+               tmp.mct, s->ncomponents);
+        return AVERROR_INVALIDDATA;
+    }
+
     if ((ret = get_cox(s, &tmp)) < 0)
         return ret;
 

From b44925ae6b4bb7b9409053265005d9acada82057 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 1 Jul 2013 10:01:16 +0200
Subject: [PATCH 2/3] jpeg2000: Initialize code blocks structures in precincts
 to 0

Prevent use of uninitialized memory / valgrind failure.

Found-by: ubitux
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/jpeg2000.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
index 51823e6cd7..cd6f58de0e 100644
--- a/libavcodec/jpeg2000.c
+++ b/libavcodec/jpeg2000.c
@@ -416,9 +416,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
                 if (!prec->zerobits)
                     return AVERROR(ENOMEM);
 
-                prec->cblk = av_malloc_array(prec->nb_codeblocks_width *
-                                             prec->nb_codeblocks_height,
-                                             sizeof(*prec->cblk));
+                prec->cblk = av_mallocz_array(prec->nb_codeblocks_width *
+                                              prec->nb_codeblocks_height,
+                                              sizeof(*prec->cblk));
                 if (!prec->cblk)
                     return AVERROR(ENOMEM);
                 for (cblkno = 0; cblkno < prec->nb_codeblocks_width * prec->nb_codeblocks_height; cblkno++) {

From 4cbd5ed11b0161a6a192174934b241e0cc0599a9 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 1 Jul 2013 10:01:17 +0200
Subject: [PATCH 3/3] jpeg2000: Fix compute precedence error in lut_gain index

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/jpeg2000.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
index cd6f58de0e..b1236993ac 100644
--- a/libavcodec/jpeg2000.c
+++ b/libavcodec/jpeg2000.c
@@ -285,7 +285,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
             case JPEG2000_QSTY_NONE:
                 /* TODO: to verify. No quantization in this case */
                 numbps = cbps +
-                         lut_gain[codsty->transform][bandno + reslevelno > 0];
+                         lut_gain[codsty->transform][bandno + (reslevelno > 0)];
                 band->stepsize = (float)SHL(2048 + qntsty->mant[gbandno],
                                             2 + numbps - qntsty->expn[gbandno]);
                 break;