From: Aaron Boxer <boxerab@gmail.com>
Date: Fri, 29 Jan 2016 00:34:00 +0000 (-0500)
Subject: issue #695 MQ Encode: ensure that bp pointer never points to uninitialized memory
X-Git-Tag: v2.1.1~18^2~32^2~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e3100f714c2bae3da26877020048e2cf5906172b;p=openjpeg

issue #695 MQ Encode: ensure that bp pointer never points to uninitialized memory
---

diff --git a/src/lib/openjp2/mqc.c b/src/lib/openjp2/mqc.c
index 7e0f5637..e6e4cc87 100644
--- a/src/lib/openjp2/mqc.c
+++ b/src/lib/openjp2/mqc.c
@@ -203,13 +203,14 @@ static opj_mqc_state_t mqc_states[47 * 2] = {
 */
 
 static void opj_mqc_byteout(opj_mqc_t *mqc) {
-	if (*mqc->bp == 0xff) {
+	OPJ_BYTE bp_in_bounds = (mqc->bp >= mqc->start);
+	if (bp_in_bounds & (*mqc->bp == 0xff)) {
 		mqc->bp++;
 		*mqc->bp = (OPJ_BYTE)(mqc->c >> 20);
 		mqc->c &= 0xfffff;
 		mqc->ct = 7;
 	} else {
-		if ((mqc->c & 0x8000000) == 0) {	/* ((mqc->c&0x8000000)==0) CHANGE */
+		if ((bp_in_bounds ^ 1) | ((mqc->c & 0x8000000) == 0)) {	
 			mqc->bp++;
 			*mqc->bp = (OPJ_BYTE)(mqc->c >> 19);
 			mqc->c &= 0x7ffff;
@@ -395,9 +396,6 @@ void opj_mqc_init_enc(opj_mqc_t *mqc, OPJ_BYTE *bp) {
 	mqc->c = 0;
 	mqc->bp = bp - 1;
 	mqc->ct = 12;
-	if (*mqc->bp == 0xff) {
-		mqc->ct = 13;
-	}
 	mqc->start = bp;
 }