From 751fba8b54bcbfbcbcd1b595fb2e05c55ab9b9f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Wed, 14 Feb 2018 23:09:18 +0100
Subject: [PATCH] Added dataBuf size check before calling
 PngChunk::decodeIHDRChunk

- cdataBuf must be at least 8 bytes long otherwise decodeIHDRChunk
  reads out of bounds
- pngImage::readMetadata now skips png chunks where the offset for
  IHDR chunks is invalid
- added assertion into PngChunk::decodeIHDRChunk() to ensure dataBuf
  size
---
 src/pngchunk_int.cpp | 2 ++
 src/pngimage.cpp     | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/pngchunk_int.cpp b/src/pngchunk_int.cpp
index 7d8aab83..d6dd75a4 100644
--- a/src/pngchunk_int.cpp
+++ b/src/pngchunk_int.cpp
@@ -64,6 +64,8 @@ namespace Exiv2 {
                                    int*           outWidth,
                                    int*           outHeight)
     {
+        assert(data.size_ >= 8);
+
         // Extract image width and height from IHDR chunk.
 
         *outWidth  = getLong((const byte*)data.pData_,     bigEndian);
diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index ba7c68f2..cc93ee23 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -435,7 +435,9 @@ namespace Exiv2 {
 #ifdef DEBUG
                     std::cout << "Exiv2::PngImage::readMetadata: Found IHDR chunk (length: " << dataOffset << ")\n";
 #endif
-                    PngChunk::decodeIHDRChunk(cdataBuf, &pixelWidth_, &pixelHeight_);
+                    if (cdataBuf.size_ >= 8) {
+                        PngChunk::decodeIHDRChunk(cdataBuf, &pixelWidth_, &pixelHeight_);
+                    }
                 }
                 else if (!memcmp(cheaderBuf.pData_ + 4, "tEXt", 4))
                 {