Merge pull request #1832 from Exiv2/mergify/bp/main/pr-1828

Check value is in range before casting from double to uint32_t (backport #1828)

src/tags_int.cpp

@@ -2605,12 +2605,20 @@ namespace Exiv2 {
     URational exposureTime(float shutterSpeedValue)
     {
         URational ur(1, 1);
-        double tmp = std::exp(std::log(2.0) * static_cast<double>(shutterSpeedValue));
+        const double tmp = std::exp(std::log(2.0) * static_cast<double>(shutterSpeedValue));
         if (tmp > 1) {
-            ur.second = static_cast<long>(tmp + 0.5);
+            const double x = std::round(tmp);
+            // Check that x is within the range of a uint32_t before casting.
+            if (x <= std::numeric_limits<uint32_t>::max()) {
+                ur.second = static_cast<uint32_t>(x);
+            }
         }
         else {
-            ur.first = static_cast<long>(1/tmp + 0.5);
+            const double x = std::round(1/tmp);
+            // Check that x is within the range of a uint32_t before casting.
+            if (0 <= x && x <= std::numeric_limits<uint32_t>::max()) {
+                ur.first = static_cast<uint32_t>(x);
+            }
         }
         return ur;
     }

tests/bugfixes/github/test_issue_1827.py

@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors
+
+class ExposureTimeCastDoubleToLong(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/1827
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/1827"
+
+    filename = path("$data_path/issue_1827_poc.crw")
+    commands = ["$exiv2 $filename"]
+    stderr = [""]
+    retval = [0]
+
+    compare_stdout = check_no_ASAN_UBSAN_errors