From 839936aa33eb8899bbbd80fda02796bb65068951 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 5 Apr 2026 13:25:27 +0200
Subject: [PATCH 1/2] opj_pi_initialise_encode() (write code path): avoid
 potential integer overflow leading to insufficient memory allocation

Fixes #1619
---
 src/lib/openjp2/pi.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index 15ac33142..4abb87af2 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1694,9 +1694,12 @@ opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image,
     l_current_pi = l_pi;
 
     /* memory allocation for include*/
-    l_current_pi->include_size = l_tcp->numlayers * l_step_l;
-    l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size,
-                            sizeof(OPJ_INT16));
+    l_current_pi->include = NULL;
+    if (l_step_l <= UINT_MAX / l_tcp->numlayers) {
+        l_current_pi->include_size = l_tcp->numlayers * l_step_l;
+        l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size,
+                                sizeof(OPJ_INT16));
+    }
     if (!l_current_pi->include) {
         opj_free(l_tmp_data);
         opj_free(l_tmp_ptr);
From 91d08b11a72764f6d199f32fa0c1b1abd4edc2ad Mon Sep 17 00:00:00 2001
From: PGZXB <pgzxb@qq.com>
Date: Tue, 10 Feb 2026 17:09:30 +0000
Subject: [PATCH] Fix heap buffer overlfow in opj_j2k_read_sod

---
 src/lib/openjp2/j2k.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
index a2014c89b..ad76aca7d 100644
--- a/src/lib/openjp2/j2k.c
+++ b/src/lib/openjp2/j2k.c
@@ -5082,12 +5082,14 @@ static OPJ_BOOL opj_j2k_read_sod(opj_j2k_t *p_j2k,
 
         OPJ_UINT32 l_current_tile_part =
             l_cstr_index->tile_index[p_j2k->m_current_tile_number].current_tpsno;
-        l_cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index[l_current_tile_part].end_header
-            =
-                l_current_pos;
-        l_cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index[l_current_tile_part].end_pos
-            =
-                l_current_pos + p_j2k->m_specific_param.m_decoder.m_sot_length + 2;
+        if (l_cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index &&
+                l_current_tile_part <
+                l_cstr_index->tile_index[p_j2k->m_current_tile_number].nb_tps) {
+            l_cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index[l_current_tile_part].end_header
+                = l_current_pos;
+            l_cstr_index->tile_index[p_j2k->m_current_tile_number].tp_index[l_current_tile_part].end_pos
+                = l_current_pos + p_j2k->m_specific_param.m_decoder.m_sot_length + 2;
+        }
 
         if (OPJ_FALSE == opj_j2k_add_tlmarker(p_j2k->m_current_tile_number,
                                               l_cstr_index,
