- --- mozilla/modules/libimg/jpgcom/jpeg.cpp.orig       Tue Mar 28 02:08:15 2000
+++ mozilla/modules/libimg/jpgcom/jpeg.cpp      Wed May 24 17:24:03 2000
@@ -469,6 +469,10 @@

     /* Get 16-bit comment length word. */
     INPUT_2BYTES(cinfo, length, return FALSE);
+    if (length < 2) {
+       cinfo->err->msg_code = JERR_BAD_LENGTH;
+       il_error_exit((j_common_ptr)cinfo);
+    }
     length -= 2;            /* discount the length word itself */
   
     PR_FREEIF(ic->comment);