From 63344dfc619507a3b2ded834876ef905b0a93506 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Mon, 20 Feb 2017 14:16:47 +0100
Subject: [PATCH 3/4] Fix CVE-2016-5159

---
 libopenjpeg/tcd.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/libopenjpeg/tcd.c b/libopenjpeg/tcd.c
index 902243b..3f5785f 100644
--- a/libopenjpeg/tcd.c
+++ b/libopenjpeg/tcd.c
@@ -841,8 +841,24 @@ void tcd_malloc_decode_tile(opj_tcd_t *tcd, opj_image_t * image, opj_cp_t * cp,
 					prc->cw = (brcblkxend - tlcblkxstart) >> cblkwidthexpn;
 					prc->ch = (brcblkyend - tlcblkystart) >> cblkheightexpn;
 
+					if (prc->cw && ((uint32_t)-1) / prc->cw < prc->ch) {
+						cp->tileno[tileno] = -1;
+						return;
+					}
+
+					if (((uint32_t)-1) / (uint32_t)sizeof(opj_tcd_cblk_dec_t) < prc->cw * prc->ch) {
+						cp->tileno[tileno] = -1;
+						return;
+					}
+
 					prc->cblks.dec = (opj_tcd_cblk_dec_t*) opj_malloc(prc->cw * prc->ch * sizeof(opj_tcd_cblk_dec_t));
 
+					if (prc->cblks.dec == NULL) {
+						opj_event_msg(tcd->cinfo, EVT_ERROR, "Not enough memory for current precinct codeblock element\n");
+						cp->tileno[tileno] = -1;
+						return;
+					}
+
 					prc->incltree = tgt_create(prc->cw, prc->ch);
 					prc->imsbtree = tgt_create(prc->cw, prc->ch);
 					
-- 
2.7.4