opj_pi_update_decode_poc(): limit layno1 to the number of layers (CVE-2016-1626 and...

This has been recently fixed in a less elegant way per
80818c39f5bfbac37768fcee95b0ffeceaa77264

diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index c256349b68ac851fec92b43b9dacfd2834dccb13..df96ac2167d5e2c037b86d87d7591ab751b90d06 100644 (file)
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1213,7 +1213,8 @@ static void opj_pi_update_decode_poc(opj_pi_iterator_t * p_pi,
             l_current_poc->resno1; /* Resolution Level Index #0 (End) */
         l_current_pi->poc.compno1 =
             l_current_poc->compno1; /* Component Index #0 (End) */
-        l_current_pi->poc.layno1 = l_current_poc->layno1; /* Layer Index #0 (End) */
+        l_current_pi->poc.layno1 = opj_uint_min(l_current_poc->layno1,
+                                                p_tcp->numlayers); /* Layer Index #0 (End) */
         l_current_pi->poc.precno1 = p_max_precision;
         ++l_current_pi;
         ++l_current_poc;