Avoid negative integer overflow when chunkLength == 0.

This fixes #789.
2019-04-25 21:42:54 +01:00 · 2019-04-25 21:42:54 +01:00 · 8cd95e2218
commit 8cd95e2218
parent f05d100579
3 changed files with 25 additions and 5 deletions
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@ -462,11 +462,11 @@ namespace Exiv2 {
                } else if (chunkType == "iCCP") {
                    // The ICC profile name can vary from 1-79 characters.
                    uint32_t iccOffset = 0;
-                    while (iccOffset < 80 && iccOffset < chunkLength) {
-                         if (chunkData.pData_[iccOffset++] ==  0x00) {
-                            break;
-                         }
-                    }
+                    do {
+                      enforce(iccOffset < 80 && iccOffset < chunkLength,
+                              Exiv2::kerCorruptedMetadata);
+                    } while(chunkData.pData_[iccOffset++] != 0x00);
+
                    profileName_ = std::string(reinterpret_cast<char *>(chunkData.pData_), iccOffset-1);
                    ++iccOffset; // +1 = 'compressed' flag
                    enforce(iccOffset <= chunkLength, Exiv2::kerCorruptedMetadata);
--- a/test/data/issue_789_poc1.png
+++ b/test/data/issue_789_poc1.png
--- a/tests/bugfixes/github/test_issue_789.py
+++ b/tests/bugfixes/github/test_issue_789.py
@ -0,0 +1,20 @@
+import system_tests
+
+
+class SegvInPngImageReadMetadata(
+        metaclass=system_tests.CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/789
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/789"
+
+    filename = system_tests.path(
+        "$data_path/issue_789_poc1.png"
+    )
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = [""]
+    retval = [1]
+
+    compare_stderr = system_tests.check_no_ASAN_UBSAN_errors