From 2fb00c8a16ce93756cddd70536e361a49369ba88 Mon Sep 17 00:00:00 2001
From: Luis Diaz Mas <piponazo@gmail.com>
Date: Sat, 19 May 2018 19:39:30 +0200
Subject: [PATCH] Analyze minimum needed number of null separators in
 PngChunk::parseTXTChunk

This commit fixes the heap-buffer-overflow in PngChunk::parseTXTChunk.

According to the specification:
http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html

There must be 2 null separators when we start to analyze the language tag.
---
 src/pngchunk_int.cpp                         | 5 +++++
 tests/bugfixes/github/test_CVE_2018_10999.py | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/pngchunk_int.cpp b/src/pngchunk_int.cpp
index dbe4b2b7..61117e61 100644
--- a/src/pngchunk_int.cpp
+++ b/src/pngchunk_int.cpp
@@ -33,6 +33,7 @@
 #include "iptc.hpp"
 #include "image.hpp"
 #include "error.hpp"
+#include "enforce.hpp"
 
 // + standard includes
 #include <sstream>
@@ -42,6 +43,7 @@
 #include <iostream>
 #include <cassert>
 #include <cstdio>
+#include <algorithm>
 
 #include <zlib.h>     // To uncompress or compress text chunk
 
@@ -162,6 +164,9 @@ namespace Exiv2 {
         }
         else if(type == iTXt_Chunk)
         {
+            const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0');
+            enforce(nullSeparators >= 2, Exiv2::kerCorruptedMetadata);
+
             // Extract a deflate compressed or uncompressed UTF-8 text chunk
 
             // we get the compression flag after the key
diff --git a/tests/bugfixes/github/test_CVE_2018_10999.py b/tests/bugfixes/github/test_CVE_2018_10999.py
index 2021a333..85b0e08e 100644
--- a/tests/bugfixes/github/test_CVE_2018_10999.py
+++ b/tests/bugfixes/github/test_CVE_2018_10999.py
@@ -13,5 +13,5 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
     stdout = [""]
     stderr = [
         """$exception_in_extract """ + filename + """:
-$kerFailedToReadImageData
+$kerCorruptedMetadata
 """]