From 4ad5618210edabcc28b8ceee77d22e2e1e7eb822 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 24 Dec 2011 06:17:12 +0100
Subject: [PATCH] j2kdec: Fix crash in get_qcx

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 282bb02839b1ce73963c8e3ee46804f1ade8b12a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/j2kdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c
index 3b94497293..3315a835d7 100644
--- a/libavcodec/j2kdec.c
+++ b/libavcodec/j2kdec.c
@@ -359,7 +359,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q)
 
     if (q->quantsty == J2K_QSTY_NONE){
         n -= 3;
-        if (s->buf_end - s->buf < n)
+        if (s->buf_end - s->buf < n || 32*3 < n)
             return AVERROR(EINVAL);
         for (i = 0; i < n; i++)
             q->expn[i] = bytestream_get_byte(&s->buf) >> 3;
@@ -376,7 +376,7 @@ static int get_qcx(J2kDecoderContext *s, int n, J2kQuantStyle *q)
         }
     } else{
         n = (n - 3) >> 1;
-        if (s->buf_end - s->buf < n)
+        if (s->buf_end - s->buf < n || 32*3 < n)
             return AVERROR(EINVAL);
         for (i = 0; i < n; i++){
             x = bytestream_get_be16(&s->buf);