--- src/libjasper/jp2/jp2_cod.c
+++ src/libjasper/jp2/jp2_cod.c
@@ -247,7 +247,7 @@
 	box = 0;
 	tmpstream = 0;
 
-	if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
+	if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
 		goto error;
 	}
 	box->ops = &jp2_boxinfo_unk.ops;
--- src/libjasper/jpc/jpc_cs.c
+++ src/libjasper/jpc/jpc_cs.c
@@ -983,7 +983,10 @@
 		compparms->numstepsizes = (len - n) / 2;
 		break;
 	}
-	if (compparms->numstepsizes > 0) {
+	if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
+		jpc_qcx_destroycompparms(compparms);
+		return -1;
+	} else if (compparms->numstepsizes > 0) {
 		compparms->stepsizes = jas_malloc(compparms->numstepsizes *
	 	  sizeof(uint_fast32_t));
 		assert(compparms->stepsizes);