From 03fcc6cad20d09a2c67d1b1fbd57a2c76527cc98 Mon Sep 17 00:00:00 2001
From: Mohamed Ali Chebbi <mohamedalichebbi@gmail.com>
Date: Mon, 13 Feb 2023 12:13:12 +0100
Subject: [PATCH 1/2] fuzz issue : check that block is not corrupted before
 decoding

---
 src/asfvideo.cpp | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/asfvideo.cpp b/src/asfvideo.cpp
index 21e7e8f2..71f8cdc6 100644
--- a/src/asfvideo.cpp
+++ b/src/asfvideo.cpp
@@ -252,9 +252,10 @@ AsfVideo::HeaderReader::HeaderReader(BasicIo::UniquePtr& io) : IdBuf_(GUID) {
 }
 
 void AsfVideo::decodeBlock() {
-  Internal::enforce(GUID + io_->tell() < io_->size(), Exiv2::ErrorCode::kerCorruptedMetadata);
-  HeaderReader others(io_);
-  auto tag = GUIDReferenceTags.find(GUIDTag(others.getId().data()));
+  Internal::enforce(GUID + QWORD + io_->tell() <= io_->size(), Exiv2::ErrorCode::kerCorruptedMetadata);
+  HeaderReader objectHeader(io_);
+  Internal::enforce(objectHeader.getSize() + io_->tell() <= io_->size(), Exiv2::ErrorCode::kerCorruptedMetadata);
+  auto tag = GUIDReferenceTags.find(GUIDTag(objectHeader.getId().data()));
 
   if (tag != GUIDReferenceTags.end()) {
     if (tag->second == "Header")
@@ -277,11 +278,12 @@ void AsfVideo::decodeBlock() {
       DegradableJPEGMedia();
     else  // tag found but not processed
     {
-      io_->seekOrThrow(io_->tell() + others.getRemainingSize(), BasicIo::beg, ErrorCode::kerFailedToReadImageData);
+      io_->seekOrThrow(io_->tell() + objectHeader.getRemainingSize(), BasicIo::beg,
+                       ErrorCode::kerFailedToReadImageData);
     }
   } else  // tag not found
   {
-    io_->seekOrThrow(io_->tell() + others.getRemainingSize(), BasicIo::beg, ErrorCode::kerFailedToReadImageData);
+    io_->seekOrThrow(io_->tell() + objectHeader.getRemainingSize(), BasicIo::beg, ErrorCode::kerFailedToReadImageData);
   }
 
 }  // AsfVideo::decodeBlock

From c555a701276a0a3cea2e916a974bf26c1d1e80b4 Mon Sep 17 00:00:00 2001
From: Mohamed Ali Chebbi <mohamedalichebbi@gmail.com>
Date: Mon, 13 Feb 2023 16:45:40 +0100
Subject: [PATCH 2/2] fuzz issue : add debug message for futur use

---
 src/asfvideo.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/asfvideo.cpp b/src/asfvideo.cpp
index 71f8cdc6..6faa271e 100644
--- a/src/asfvideo.cpp
+++ b/src/asfvideo.cpp
@@ -254,6 +254,10 @@ AsfVideo::HeaderReader::HeaderReader(BasicIo::UniquePtr& io) : IdBuf_(GUID) {
 void AsfVideo::decodeBlock() {
   Internal::enforce(GUID + QWORD + io_->tell() <= io_->size(), Exiv2::ErrorCode::kerCorruptedMetadata);
   HeaderReader objectHeader(io_);
+#ifdef EXIV2_DEBUG_MESSAGES
+  EXV_INFO << "decodeBlock = " << GUIDTag(objectHeader.getId().data()).to_string()
+           << "\tsize= " << objectHeader.getSize() << "\t " << io_->tell() << "/" << io_->size() << std::endl;
+#endif
   Internal::enforce(objectHeader.getSize() + io_->tell() <= io_->size(), Exiv2::ErrorCode::kerCorruptedMetadata);
   auto tag = GUIDReferenceTags.find(GUIDTag(objectHeader.getId().data()));
 
@@ -483,7 +487,8 @@ void AsfVideo::fileProperties() {
   xmpData()["Xmp.video.SendDuration"] = readQWORDTag(io_);
   xmpData()["Xmp.video.Preroll"] = readQWORDTag(io_);
 
-  io_->seek(io_->tell() + DWORD + DWORD + DWORD, BasicIo::beg);
+  io_->seek(io_->tell() + DWORD + DWORD + DWORD,
+            BasicIo::beg);  // ignore Flags, Minimum Data Packet Size and Maximum Data Packet Size
   xmpData()["Xmp.video.MaxBitRate"] = readDWORDTag(io_);
 }  // AsfVideo::fileProperties