$OpenBSD: patch-libopenjpeg_j2k_c,v 1.3 2012/09/17 12:31:35 jasper Exp $

http://code.google.com/p/openjpeg/source/detail?r=1727 (CVE-2012-3358)
http://code.google.com/p/openjpeg/source/detail?r=1919 (CVE-2012-3535)

--- libopenjpeg/j2k.c.orig	Tue Feb  7 11:49:55 2012
+++ libopenjpeg/j2k.c	Mon Sep 17 13:56:12 2012
@@ -685,6 +685,13 @@ static void j2k_read_cox(opj_j2k_t *j2k, int compno) {
 		j2k->state |= J2K_STATE_ERR;
 	}
 
+	if( tccp->numresolutions > J2K_MAXRLVLS ) {
+	    opj_event_msg(j2k->cinfo, EVT_ERROR, "Error decoding component %d.\nThe number of resolutions is too big: %d vs max= %d. Truncating.\n\n",
+	      compno, tccp->numresolutions, J2K_MAXRLVLS);
+			j2k->state |= J2K_STATE_ERR;
+	    tccp->numresolutions = J2K_MAXRLVLS;
+	 }
+
 	tccp->cblkw = cio_read(cio, 1) + 2;	/* SPcox (E) */
 	tccp->cblkh = cio_read(cio, 1) + 2;	/* SPcox (F) */
 	tccp->cblksty = cio_read(cio, 1);	/* SPcox (G) */
@@ -1269,7 +1276,7 @@ static void j2k_read_sot(opj_j2k_t *j2k) {
 		static int backup_tileno = 0;
 
 		/* tileno is negative or larger than the number of tiles!!! */
-		if ((tileno < 0) || (tileno > (cp->tw * cp->th))) {
+		if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
 			opj_event_msg(j2k->cinfo, EVT_ERROR,
 				"JPWL: bad tile number (%d out of a maximum of %d)\n",
 				tileno, (cp->tw * cp->th));
@@ -1286,8 +1293,18 @@ static void j2k_read_sot(opj_j2k_t *j2k) {
 
 		/* keep your private count of tiles */
 		backup_tileno++;
-	};
+	}
+else
 #endif /* USE_JPWL */
+  {
+    /* tileno is negative or larger than the number of tiles!!! */
+    if ((tileno < 0) || (tileno >= (cp->tw * cp->th))) {
+      opj_event_msg(j2k->cinfo, EVT_ERROR,
+        "JPWL: bad tile number (%d out of a maximum of %d)\n",
+        tileno, (cp->tw * cp->th));
+      return;
+    }
+  }
 	
 	if (cp->tileno_size == 0) {
 		cp->tileno[cp->tileno_size] = tileno;
