From 11445eddad7e7fa5b273d1c83c91011c44e5d586 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Jul 2017 19:03:13 +0200
Subject: [PATCH] opj_pi_update_decode_poc(): limit layno1 to the number of
 layers (CVE-2016-1626 and CVE-2016-1628, #850)

This has been recently fixed in a less elegant way per
80818c39f5bfbac37768fcee95b0ffeceaa77264
---
 src/lib/openjp2/pi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index c256349b..df96ac21 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1213,7 +1213,8 @@ static void opj_pi_update_decode_poc(opj_pi_iterator_t * p_pi,
             l_current_poc->resno1; /* Resolution Level Index #0 (End) */
         l_current_pi->poc.compno1 =
             l_current_poc->compno1; /* Component Index #0 (End) */
-        l_current_pi->poc.layno1 = l_current_poc->layno1; /* Layer Index #0 (End) */
+        l_current_pi->poc.layno1 = opj_uint_min(l_current_poc->layno1,
+                                                p_tcp->numlayers); /* Layer Index #0 (End) */
         l_current_pi->poc.precno1 = p_max_precision;
         ++l_current_pi;
         ++l_current_poc;
-- 
2.50.1