[trunk] WIP: resolve heap corruption with p0_07.j2k (credit to Winfried)

diff --git a/CHANGES b/CHANGES
index 0e58d28117803fe1e8137b0132d84a6ed1653a39..1ea0ed9c539b8ea9c86ba065b4ff81ed6f49f2a1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,7 @@ What's New for OpenJPEG
 + : added
 
 October 12, 2011
+* [mickael] WIP: resolve heap corruption with p0_07.j2k (credit to Winfried)
 * [mickael] WIP: correct some memory leaks in applications functions 
 + [mickael] WIP: add a read CBD marker function (JPEG2000 part 2)
 + [mickael] WIP: add a read MCO marker function (JPEG2000 part 2) 

diff --git a/libopenjpeg/pi.c b/libopenjpeg/pi.c
index 890800adec7a1595cb4ce85cbee077f353df4e31..f601c7697bd9d05f75453b4c98594088739744ee 100644 (file)
--- a/libopenjpeg/pi.c
+++ b/libopenjpeg/pi.c
@@ -680,7 +680,7 @@ opj_pi_iterator_t *pi_create_decode_v2(     opj_image_t *p_image,
        l_current_pi = l_pi;
 
        // memory allocation for include
-       l_current_pi->include = (OPJ_INT16*) opj_calloc(l_tcp->numlayers * l_step_l, sizeof(OPJ_INT16));
+       l_current_pi->include = (OPJ_INT16*) opj_calloc((l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));
        if
                (!l_current_pi->include)
        {
@@ -689,7 +689,7 @@ opj_pi_iterator_t *pi_create_decode_v2(     opj_image_t *p_image,
                pi_destroy_v2(l_pi, l_bound);
                return 00;
        }
-       memset(l_current_pi->include,0,l_tcp->numlayers * l_step_l* sizeof(OPJ_INT16));
+       memset(l_current_pi->include,0, (l_tcp->numlayers + 1) * l_step_l* sizeof(OPJ_INT16));
 
        // special treatment for the first packet iterator
        l_current_comp = l_current_pi->comps;