2007-11-05  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	* src/libjasper/jpc/jpc_cs.c (jpc_qcx_getcompparms): Fix segfaults due
	to heap corruption on malformed image input.  Adapted from
        <http://ftp.de.debian.org/debian/pool/main/j/jasper/jasper_1.900.1-3.diff.gz>




diff -aprNU5 jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c jasper-1.900.1/src/libjasper/jpc/jpc_cs.c
--- jasper-1.900.1.orig/src/libjasper/jpc/jpc_cs.c	2007-01-19 13:43:08 +0000
+++ jasper-1.900.1/src/libjasper/jpc/jpc_cs.c	2007-11-04 01:30:16 +0000
@@ -980,11 +980,14 @@ static int jpc_qcx_getcompparms(jpc_qcxc
 	case JPC_QCX_SEQNT:
 		/* XXX - this is a hack */
 		compparms->numstepsizes = (len - n) / 2;
 		break;
 	}
-	if (compparms->numstepsizes > 0) {
+	if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+		jpc_qcx_destroycompparms(compparms);
+                return -1;
+        } else if (compparms->numstepsizes > 0) {
 		compparms->stepsizes = jas_malloc(compparms->numstepsizes *
 		  sizeof(uint_fast16_t));
 		assert(compparms->stepsizes);
 		for (i = 0; i < compparms->numstepsizes; ++i) {
 			if (compparms->qntsty == JPC_QCX_NOQNT) {
