From 751fba8b54bcbfbcbcd1b595fb2e05c55ab9b9f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Wed, 14 Feb 2018 23:09:18 +0100
Subject: [PATCH 1/2] Added dataBuf size check before calling
 PngChunk::decodeIHDRChunk

- cdataBuf must be at least 8 bytes long otherwise decodeIHDRChunk
  reads out of bounds
- pngImage::readMetadata now skips png chunks where the offset for
  IHDR chunks is invalid
- added assertion into PngChunk::decodeIHDRChunk() to ensure dataBuf
  size
---
 src/pngchunk_int.cpp | 2 ++
 src/pngimage.cpp     | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/pngchunk_int.cpp b/src/pngchunk_int.cpp
index 7d8aab83..d6dd75a4 100644
--- a/src/pngchunk_int.cpp
+++ b/src/pngchunk_int.cpp
@@ -64,6 +64,8 @@ namespace Exiv2 {
                                    int*           outWidth,
                                    int*           outHeight)
     {
+        assert(data.size_ >= 8);
+
         // Extract image width and height from IHDR chunk.
 
         *outWidth  = getLong((const byte*)data.pData_,     bigEndian);
diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index ba7c68f2..cc93ee23 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -435,7 +435,9 @@ namespace Exiv2 {
 #ifdef DEBUG
                     std::cout << "Exiv2::PngImage::readMetadata: Found IHDR chunk (length: " << dataOffset << ")\n";
 #endif
-                    PngChunk::decodeIHDRChunk(cdataBuf, &pixelWidth_, &pixelHeight_);
+                    if (cdataBuf.size_ >= 8) {
+                        PngChunk::decodeIHDRChunk(cdataBuf, &pixelWidth_, &pixelHeight_);
+                    }
                 }
                 else if (!memcmp(cheaderBuf.pData_ + 4, "tEXt", 4))
                 {

From cabf756553d177998b3f2be3a4b532bd38300f50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Wed, 14 Feb 2018 23:17:26 +0100
Subject: [PATCH 2/2] Add reproducer for #170 to the test suite

---
 test/data/issue_170_poc                 | Bin 0 -> 216 bytes
 tests/bugfixes/github/test_issue_170.py |  17 +++++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 test/data/issue_170_poc
 create mode 100644 tests/bugfixes/github/test_issue_170.py

diff --git a/test/data/issue_170_poc b/test/data/issue_170_poc
new file mode 100644
index 0000000000000000000000000000000000000000..439b76877e0e4e6a148848bee4b6b5122dd0df5c
GIT binary patch
literal 216
zcmeAS@N?(olHy`uU|{w1a0vp^3LwnE3?yBabR7dyk|nMYCBgY=CFO}lsSJ)O`AMk?
zp1FzXsX?iUDV2pMQ*D5X_yc@GT+_~+`TzevkY_wIZRY<oc0TJxft*B77srr_TX!ZK
z@*Pm%VV*qW|NfmOBAi#O5)&7gZ}_3Y&Fv!Wa+N9XAeZ|Y)`bt2H|2|SoZl6)LeW4f
zpYg-wuq`$MRlW*7Kern^aq*buqU7WJZl%SylUHX4<~;qZ7Q@8Da4C)1bi?)2vw)T{
Lc)I$ztaAbY;C4*X

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_170.py b/tests/bugfixes/github/test_issue_170.py
new file mode 100644
index 00000000..8fd8d7af
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_170.py
@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+
+import system_tests
+
+
+class decodeIHDRChunkOutOfBoundsRead(system_tests.Case):
+
+    url = "https://github.com/Exiv2/exiv2/issues/170"
+
+    filename = "{data_path}/issue_170_poc"
+
+    commands = ["{exiv2} " + filename]
+    stdout = [""]
+    stderr = ["""{exiv2_exception_msg} """ + filename + """:
+{kerFailedToReadImageData}
+"""]
+    retval = [1]