diff --git a/zbar/decoder/databar.c b/zbar/decoder/databar.c
index 2955c41..6a4a4e4 100644
--- a/zbar/decoder/databar.c
+++ b/zbar/decoder/databar.c
@@ -23,6 +23,8 @@
 
 #include "config.h"
 #include <zbar.h>
+#include <stdlib.h>
+#include <stdio.h>
 
 #ifdef DEBUG_DATABAR
 #define DEBUG_LEVEL (DEBUG_DATABAR)
@@ -626,8 +628,8 @@ static inline zbar_symbol_type_t match_segment(zbar_decoder_t *dcode,
     return (ZBAR_DATABAR);
 }
 
-static inline unsigned lookup_sequence(databar_segment_t *seg, int fixed,
-                                       int seq[22])
+static inline signed lookup_sequence(databar_segment_t *seg, int fixed,
+                                       int seq[22], const size_t maxsize)
 {
     unsigned n = seg->data / 211, i;
     const unsigned char *p;
@@ -637,6 +639,13 @@ static inline unsigned lookup_sequence(databar_segment_t *seg, int fixed,
     dbprintf(2, " {%d,%d:", i, n);
     p = exp_sequences + i;
 
+    if (n >= maxsize-1) {
+      // The loop below checks i<n and increments i by one within the loop
+      // when accessing seq[22]. For this to be safe, n needs to be < 21.
+      // See CVE-2023-40890.
+      return -1;
+    }
+
     fixed >>= 1;
     seq[0] = 0;
     seq[1] = 1;
@@ -714,10 +723,15 @@ match_segment_exp(zbar_decoder_t *dcode, databar_segment_t *seg, int dir)
             }
 
             if (!i) {
-                if (!lookup_sequence(seg, fixed, seq)) {
+                signed int lu = lookup_sequence(seg, fixed, seq, sizeof(seq)/sizeof(seq[0]));
+                if(!lu) {
                     dbprintf(2, "[nf]");
                     continue;
                 }
+                if(lu < 0) {
+                    dbprintf(1, " [aborted]\n");
+                    goto abort;
+                }
                 width = seg->width;
                 dbprintf(2, " A00@%d", j);
             } else {
@@ -787,6 +801,8 @@ match_segment_exp(zbar_decoder_t *dcode, databar_segment_t *seg, int dir)
     dcode->direction = (1 - 2 * (seg->side ^ seg->color)) * dir;
     dcode->modifiers = MOD(ZBAR_MOD_GS1);
     return (ZBAR_DATABAR_EXP);
+abort:
+    return (ZBAR_NONE);
 }
 #undef IDX
 
diff --git a/zbar/qrcode/qrdec.c b/zbar/qrcode/qrdec.c
index c68958f..1260534 100644
--- a/zbar/qrcode/qrdec.c
+++ b/zbar/qrcode/qrdec.c
@@ -4238,8 +4238,8 @@ void qr_reader_match_centers(qr_reader *_reader, qr_code_data_list *_qrlist,
         /*TODO: We might be able to accelerate this step significantly by
        considering the remaining finder centers in a more intelligent order,
        based on the first finder center we just chose.*/
-        for (j = i + 1; !mark[i] && j < _ncenters; j++) {
-            for (k = j + 1; !mark[j] && k < _ncenters; k++)
+        for (j = i + 1; i < _ncenters && !mark[i] && j < _ncenters; j++) {
+            for (k = j + 1; j < _ncenters && !mark[j] && k < _ncenters; k++)
                 if (!mark[k]) {
                     qr_finder_center *c[3];
                     qr_code_data qrdata;