Merge pull request #1534 from Exiv2/fix_1529

Fix out of buffer access in #1529
4 years ago · 0230620e6e
parent 05ec05342e 13e5a3e023
commit 0230620e6e
1 changed files with 3 additions and 2 deletions
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m)
 #endif
                box.length = (uint32_t) (io_->size() - io_->tell() + 8);
            }
-            if (box.length == 1)
+            if (box.length < 8)
            {
-                // FIXME. Special case. the real box size is given in another place.
+                // box is broken, so there is nothing we can do here
+                throw Error(kerCorruptedMetadata);
            }

            // Read whole box : Box header + Box data (not fixed size - can be null).