From b2c3b61abcdb8e1a904e7c3f8b9f683c1b0b5668 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 6 Jul 2018 11:39:45 +0200
Subject: [PATCH] [IptcData::printStructure] Remove buffer overrun

The loop condition will perform a range check correctly, but it will always
dereference bytes[i], even if i is too large and fails the second check.
=> move the bytes[i] == 0x1c check into a if, after the range check was
successfull
---
 src/iptc.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/iptc.cpp b/src/iptc.cpp
index ec7a58a9..11cc17bd 100644
--- a/src/iptc.cpp
+++ b/src/iptc.cpp
@@ -354,7 +354,10 @@ namespace Exiv2 {
 		while  ( i < size-3 && bytes[i] != 0x1c ) i++;
 		depth++;
 		out << Internal::indent(depth) << "Record | DataSet | Name                     | Length | Data" << std::endl;
-		while ( bytes[i] == 0x1c && i < size-3 ) {
+		while ( i < size-3 ) {
+                        if (bytes[i] != 0x1c) {
+                                break;
+                        }
 			char buff[100];
 			uint16_t record  = bytes[i+1];
 			uint16_t dataset = bytes[i+2];