Merge pull request #230 from D4N/fix_170

Fix for #170

src/pngchunk_int.cpp

@@ -64,6 +64,8 @@ namespace Exiv2 {
                                    int*           outWidth,
                                    int*           outHeight)
     {
+        assert(data.size_ >= 8);
+
         // Extract image width and height from IHDR chunk.
 
         *outWidth  = getLong((const byte*)data.pData_,     bigEndian);

src/pngimage.cpp

@@ -435,7 +435,9 @@ namespace Exiv2 {
 #ifdef DEBUG
                     std::cout << "Exiv2::PngImage::readMetadata: Found IHDR chunk (length: " << dataOffset << ")\n";
 #endif
-                    PngChunk::decodeIHDRChunk(cdataBuf, &pixelWidth_, &pixelHeight_);
+                    if (cdataBuf.size_ >= 8) {
+                        PngChunk::decodeIHDRChunk(cdataBuf, &pixelWidth_, &pixelHeight_);
+                    }
                 }
                 else if (!memcmp(cheaderBuf.pData_ + 4, "tEXt", 4))
                 {

tests/bugfixes/github/test_issue_170.py

@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+
+import system_tests
+
+
+class decodeIHDRChunkOutOfBoundsRead(system_tests.Case):
+
+    url = "https://github.com/Exiv2/exiv2/issues/170"
+
+    filename = "{data_path}/issue_170_poc"
+
+    commands = ["{exiv2} " + filename]
+    stdout = [""]
+    stderr = ["""{exiv2_exception_msg} """ + filename + """:
+{kerFailedToReadImageData}
+"""]
+    retval = [1]