From 1ab921cb83bc7f909cc98f47d113ea9fe1e65fe9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Sat, 7 Jul 2018 10:47:07 +0200
Subject: [PATCH] Add two padding bytes to exifLongHeader to prevent overreads

in the following call:
getHeaderOffset (payload.pData_, payload.size_, (byte*)&exifLongHeader, 6);

getHeaderOffset would read 6 bytes from exifLongHeader, reading beyond the
bounds of the array => add 2 padding bytes to prevent overreads
---
 src/webpimage.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/webpimage.cpp b/src/webpimage.cpp
index ebb7599d..ae165c46 100644
--- a/src/webpimage.cpp
+++ b/src/webpimage.cpp
@@ -594,7 +594,8 @@ namespace Exiv2 {
                 io_->read(payload.pData_, payload.size_);
 
                 byte  size_buff[2];
-                byte  exifLongHeader[]   = { 0xFF, 0x01, 0xFF, 0xE1 };
+                // 4 meaningful bytes + 2 padding bytes
+                byte  exifLongHeader[]   = { 0xFF, 0x01, 0xFF, 0xE1, 0x00, 0x00 };
                 byte  exifShortHeader[]  = { 0x45, 0x78, 0x69, 0x66, 0x00, 0x00 };
                 byte  exifTiffLEHeader[] = { 0x49, 0x49, 0x2A };       // "MM*"
                 byte  exifTiffBEHeader[] = { 0x4D, 0x4D, 0x00, 0x2A }; // "II\0*"