Index: openjpeg-1.5.1/libopenjpeg/cio.c
===================================================================
--- openjpeg-1.5.1.orig/libopenjpeg/cio.c	2012-09-13 09:58:39.000000000 +0000
+++ openjpeg-1.5.1/libopenjpeg/cio.c	2013-01-01 01:01:01.000000000 +0000
@@ -30,6 +30,7 @@
  */
 
 #include "opj_includes.h"
+#include <assert.h>
 
 /* ----------------------------------------------------------------------- */
 
@@ -139,6 +140,11 @@ opj_bool cio_byteout(opj_cio_t *cio, uns
  * Read a byte.
  */
 unsigned char cio_bytein(opj_cio_t *cio) {
+	if (cio->bp < cio->start) {
+		opj_event_msg(cio->cinfo, EVT_ERROR, "read error: trying to read from before the start of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
+		abort();
+		return 0;
+	}
 	if (cio->bp >= cio->end) {
 		opj_event_msg(cio->cinfo, EVT_ERROR, "read error: passed the end of the codestream (start = %d, current = %d, end = %d\n", cio->start, cio->bp, cio->end);
 		return 0;
@@ -173,7 +179,7 @@ unsigned int cio_read(opj_cio_t *cio, in
 	unsigned int v;
 	v = 0;
 	for (i = n - 1; i >= 0; i--) {
-		v += cio_bytein(cio) << (i << 3);
+		v += (unsigned int)cio_bytein(cio) << (i << 3);
 	}
 	return v;
 }
@@ -184,6 +190,7 @@ unsigned int cio_read(opj_cio_t *cio, in
  * n : number of bytes to skip
  */
 void cio_skip(opj_cio_t *cio, int n) {
+	assert((cio->bp + n) >= cio->bp);
 	cio->bp += n;
 }
 
Index: openjpeg-1.5.1/libopenjpeg/jp2.c
===================================================================
--- openjpeg-1.5.1.orig/libopenjpeg/jp2.c	2012-09-13 09:58:39.000000000 +0200
+++ openjpeg-1.5.1/libopenjpeg/jp2.c	2013-01-01 01:01:01.000000000 +0000
@@ -172,6 +172,9 @@ static opj_bool jp2_read_boxhdr(opj_comm
 	}
 	else if (box->length == 0) {
 		box->length = cio_numbytesleft(cio) + 8;
+	} else if (box->length < 0) {
+		opj_event_msg(cinfo, EVT_ERROR, "Invalid, negative, size of box\n");
+		return false;
 	}
 	
 	return true;