avcodec/jpeg2000dec: check that tp_end is after the start

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index caa5ae4e91d3edb0d39eb6b70410423f4a53aa69..dc976c15fb3414f0ed3ed835e68c0c0910eafeb9 100644 (file)
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1237,6 +1237,10 @@ static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s)
 
             tile = s->tile + s->curtileno;
             tp = tile->tile_part + tile->tp_idx;
+            if (tp->tp_end < s->g.buffer) {
+                av_log(s->avctx, AV_LOG_ERROR, "Invalid tpend\n");
+                return AVERROR_INVALIDDATA;
+            }
             bytestream2_init(&tp->tpg, s->g.buffer, tp->tp_end - s->g.buffer);
             bytestream2_skip(&s->g, tp->tp_end - s->g.buffer);