From 1c1436e94eb5d5390f93ccf82b5cc72da70f5631 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Thu, 16 May 2019 10:24:18 +0100
Subject: [PATCH] Add bounds check of resourceSize. (#856)

---
 src/psdimage.cpp                        |  11 +++++++++--
 test/data/issue_855_poc.psd             | Bin 0 -> 23187 bytes
 tests/bugfixes/github/test_issue_855.py |  24 ++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 test/data/issue_855_poc.psd
 create mode 100644 tests/bugfixes/github/test_issue_855.py

diff --git a/src/psdimage.cpp b/src/psdimage.cpp
index 8ed67544..0f6b2549 100644
--- a/src/psdimage.cpp
+++ b/src/psdimage.cpp
@@ -203,6 +203,8 @@ namespace Exiv2 {
 
         while (resourcesLength > 0)
         {
+            enforce(resourcesLength >= 8, Exiv2::kerCorruptedMetadata);
+            resourcesLength -= 8;
             if (io_->read(buf, 8) != 8)
             {
                 throw Error(kerNotAnImage, "Photoshop");
@@ -216,9 +218,13 @@ namespace Exiv2 {
             uint32_t resourceNameLength = buf[6] & ~1;
 
             // skip the resource name, plus any padding
+            enforce(resourceNameLength <= resourcesLength, Exiv2::kerCorruptedMetadata);
+            resourcesLength -= resourceNameLength;
             io_->seek(resourceNameLength, BasicIo::cur);
 
             // read resource size
+            enforce(resourcesLength >= 4, Exiv2::kerCorruptedMetadata);
+            resourcesLength -= 4;
             if (io_->read(buf, 4) != 4)
             {
                 throw Error(kerNotAnImage, "Photoshop");
@@ -230,11 +236,12 @@ namespace Exiv2 {
         std::cerr << std::hex << "resourceId: " << resourceId << std::dec << " length: " << resourceSize << std::hex << "\n";
 #endif
 
+            enforce(resourceSize <= resourcesLength, Exiv2::kerCorruptedMetadata);
             readResourceBlock(resourceId, resourceSize);
             resourceSize = (resourceSize + 1) & ~1;        // pad to even
+            enforce(resourceSize <= resourcesLength, Exiv2::kerCorruptedMetadata);
+            resourcesLength -= resourceSize;
             io_->seek(curOffset + resourceSize, BasicIo::beg);
-            resourcesLength -= Safe::add(Safe::add(static_cast<uint32_t>(12), resourceNameLength),
-                                         resourceSize);
         }
 
     } // PsdImage::readMetadata
diff --git a/test/data/issue_855_poc.psd b/test/data/issue_855_poc.psd
new file mode 100644
index 0000000000000000000000000000000000000000..823fccf8eba60ba5e146d99ed0f6f633ed9ca878
GIT binary patch
literal 23187
zcmeHv2V7Lg_V6rSr3h$(XkZ1=Jn6l61PL`X6)+0BOK}_QE=72-s7cgBL`lR-z={P>
z6huHo#jZ#bP!NfgVz7cp-EZ#pr3ff_-}}G!F28&4nKP%)nVG$FnQLO_=?zeTbqK>-
z06f!x1VCVT_=lL-IlGC7FbgvCQ2s!8uA0+46yuo?L^;@ddx@wq>t<F|_9Yy>eqowu
zM0D;+(Q<bt-vR&_4D%Zn*0B*m7(9-K4#tIslPpzUmz1fX!?Bhs%M9Ig+#>98Vc|>T
zC^+vpcOOg~9%G7Cv9_9S5o;DpOeW%JLFiZ_fkZWnwNwehl7n$(5Ju42Drkfxf`+$L
zu|+D-%iTQD_GAhUZK$QAiP16AK^y66>FOI88yjn&^>lP~v~~2fb@eoLjm`A+%ye|n
z>_f$BI)p4J*bp->2S>I#3f9yVq1V&XgcX|9wIo__tR{)7%A)2lIN+!lN_Ye<oJ>L^
z0)m3cQ8Y^x6+|NUU^#%HP%Tx$XtW43ZEX@&i|LFOhD_AP1QBtRAWce8j3yOFqlJ?~
zsoJ_)I@(-KP>==WHnSyAa6#C$wh<A8a2(dkhZ2Re&>p3Nt=vKzv53z?rk{wgVfgVZ
zj|d~v$kZ@$#OU^Ot4CU`7q*7QX=YC*kST6tEY3>b0*xa@5s}1kCed)n-JU>Umfa%k
z2wZ7=EK}_eOq<bNi4BSv=>()UvxkwV;T+&;1v5!kQ^!bC&)7##*G%8gOkZDJ2gxT3
z?O~L>B(Okgp!eY+Ye$h`plhb1$1j7Aa<~kb`Pd*@(1fJ$(@sSQzh-7ME1R(xZUiHu
zC<HAsB~%-W(Z&&QL>!5RB(Sbv0%I{|A!G_Mh-MXp<S!-&=`-5VBrLlpaNFGi%Hfbs
zh1INX$R0$95pHf=!v%UF()7x(*Aa=@qxD`YZAmoj*rWAdPSQ|))<)p8y>L`=6a|A@
zvJ1vRb#zf)xR9|$&4oq?ih|_4VF&5IFq_=m%$!M7S`Z0?b9S(T2(9pNEKDO4n4QK3
zI>vfBMkcztrnaVr_DghZZS8d&O-<~UFjG{JRWQL|odX#Yg|s1CEEW-~J2A0*tRuvF
zP{QHpA4K5M*dkU>M*K(-oDq!|l%?TR8kw?|uL7w<20U+Eq#%}4K?sKfARL8kC{!HM
zgqA9tHsl|HAvNo;V5Wju5C%zLD{4?Q4r`$;faCej;X$*R!bfScabwGp&Br>n{FpEt
zY1jZIFu1TpF{#EDLM4aLVuC0*+fbMVR;;<zlQRXN?Y#}rZb6uE5;CxJ92aC6TQnvt
zh!hH^E^Q7Y2Qi$5HFpuhKha_#W)VT3(_$DhDH=ziO`_GH9ymqQa1^Rl2!%{UhZBQB
zaoTGlaG_`#8U5+uESTddpO8;EE6q(A2r%=OnVz3?mI0HO%O;qfSR5sMG6~9OB{xp!
zQJf}6Owuo|eF!i?zXW*%y4aU@yKzU#33NLhcCe?W+x=U0HC6`{95Xqy$H+03JtH}=
zvdt0cB*>6Eeg}mCgtMC&-{8ib$|f)_4r3MQS8T~x?rf$ZINi8>Vv=MT#bHfy5FCZr
zlF6(I%`ZxXZ%$**#N*6qPOO=jrGzboUj)w$PQdx%$}wg5k9$0`f`x@oG4KIOoB4Qz
zJSuT`1p3pI7kFk*xoDoi|0&_c;?oc}QkYNEeNin}2_nVpi$smhETCj;vhiyChaI1$
zpCYASssz{!laM*AJbv-t#FOz29hc(&xF=lmxxh$|?M9+L6Y~irV@jkO-W_TwqTb)>
zHztW-#Uzyo{J0gA^oi0$l`Q^*jA2z16*-J;LPZS@)nt@#nK;Z7y-!BTL}ha6Y}wFf
zDUs)jnHca{N+u>6p)zEW{>@5Q=KSX<Vfi!s`uF+ACz%f%uAjdQAAM)?mq&pYj)G&O
zCa7d=0TZeDpOT40iA%!{mpK>lDF9%3wYofTT<CvoGH!^N1nl4R+;D-UiSeP)0!z>n
zW#Z8Nj%I6|#Js4*VV?M%>(<0sCQtcqszl;H#*@iA!pW}B;G6`@*bSdK2`Qf@9b3nz
z`6gBS@1z99XZbQdcw*pKp0vULc$k=k@u>*GlwdNQ0DqVO;1x=B3nr6c;s1Bajc@n3
z6k`Q%T*k=|Kqd1hLyyq*0nj%oo>4skKm@R)Fu*gb^j}=Dsm|*AGwYs<Pf9kIcvL0a
zS~f6iIAW6J2`QPR%n{_{Dp4B20udFXA;-dvt70_9iTy<6agMJ90O2+s{bxa+Rx+qO
zDWNLEs5y@^pH?!A>2r%ypo9*_Q$7Vs##4d*7md9N;~N4gOeaJ&7SVrDxTcNe<7eYF
zM{s^wxF$I8f0+`l&3sR?TpSM=rX-VBGlkGFB~vJwEoxE<XrHNnQc6Bk2mg>Ve31TJ
zk;D0r|4AB-n^>9iLxw{=g9D6qA1z$LqY-`yZZsudB5zdQsZlb{ONyycGOGPN<bRtI
z*5W+R|4BmsZQ&9K4@#iKDsX-$j#33tBf>Qk@CY+`;Fyr`m^HkL5lVPflZOC6fzh}o
zuVf}~P=#xoOGXnafLkz1xC98ktT2`X<GcsvJ*!Sc{a8vS!aHG_ze9<*;PH1h1>b+k
z{2iW*2;+Z=lGP&|M-Z?N(nqZr6ZwBCTp)?T;CV9aDT2=v00$!;-Bdz+N~TgQSC$b1
z{oP8K+Sp1&xvHlc&=WYOS~>$BY?=Sca80!vg7PNf3IB^(LGB5bCZc45qQ)lUDOo)>
z5t^?NKS4ES6;Fu(39@=Qb!#AFC=t;3#f5)~5<V-x<%2&LoC=%S|K=aWwPE;D-v}ju
z0B8UW?139t0bBr=@k@XaO1?zcSiGO3Bxx*RW8p_pA~zQ8xOl-;zwuwFjG~;UV>)lQ
zGL8hdD96CP$jr^mX7D!)0B_-mJVCHFP0xs+z->?-QM8CC8bpf06WPk@&Dq|HzzA-M
zz1s@p?oLFbeU>cuf#4kA3BmvwCJ7l(nNS2w7Xx@Y02~MbK_F^a3LyfR8)iAuN83D$
zylX^klVMus9Ue==;YfDjG}b#v09Y2|DDH4S6WbCQpbLzF9?*iP3A`dDBj#NP!T>P6
zH%FACPQwe&dpSPuJ(xS7sjyxSp|p>nkvJ-0L`HofijYxA_B=8YjaP6DCQ!LG?xD13
zZea<L;J_`w5Wsh>$m>;j*kSOY9>Hrc5M(tE@N%-Vhb882b}zWRiX}${+mQc+DAwUb
zA&tP<5twwV`RVK^SRY>!%~92h0NeRIhaK1vuxK8hiw0g)0uADUh-WOp25D{9F+CcG
zfqN6-)?K(uoYhXiGt`sHX;1`4C_TeG5wn3SE(8(7R*PU*hYvYoRJGn10t@d+!Pqbp
zj@5d?olL%&U@5$#fDq@-Y}tj(I%$?<<Z7M7ZgVLn4%z&##H5@fSQdWIEKg%z;RVIa
zltoB>05F}?1V9Mk74BwYmjdmO5LiQiS7v8{uyzRUJqqmKy@!j@gS05%53d{=LncO(
zhhfV62+IIOARieR?GSE5sz<9~FutUY84C$SHm5HL*#Ll??6@f*5PX*m4<@Z50tvgo
z3(Fs*$obR)?2)j$$AWMW4ZEKvgo)528dwV{*h$Q!=3Mx3X>2K+I_909fK$QivVast
zKspQZ`35ogr2-O`I;_WFXh@%D8jqwIflLbJh(XekzidY%6WL|tyAkkz9l|*Eh-qR}
zxXBww^&_|<NsSWFBg(9UXk@eyXBM0t_+*QRQpiye0w^)oMk#h*kzC@9NM~&bhBBmr
zqG)6%90`6$0dDMs2!L$lWfM<l5hEC+#+ew3hBvnVK7u30)cG$Acg3@ZSazcz!5751
zQA0VyFpEYkh(PlR3KgJ|#^4|yE|%s@UFzfJ${9K&IA{UlX<=kaoGl?dl*D#khUNTH
z4jOtcj>UxpMIl2On1<|x9fjPFgBB#85gf|=jsstCWm)p=oVXQ`1-O$*NUW#P$PsXQ
zgkQDbYuxDsm`EeAlEGveOsEm~8E}_f*l==_0QgywZxKa65}rcVZ<sKvzsWLT1=e^Z
zGK*P45*o$qjR-xELq<m=;_N<zx&lCEHpE*31%P7QXLJHd=Dz1u_HICk@d`*YO8}dM
z@G+XekKm1jgv2xn$!XIhWu>Oikew|v<E6}O1$p_|^70C@lFWmBV-<#9QBpHzNJ&f0
zl$M@3OIlib7IKlE#bS}2hycb#AS(gC*peoUQUOA;C}CL?qZ#(x>5MBVYiOk?ig`eT
zkwX}ughWKe#3iOppMe@)3Fic1PUTF15<v+Ii3o{`i%EzIOX|Z)Sz(d+a=N0n-v`O7
zM6S~lo3(v^o}KD~*<P1|^$jSfYI||DRPQ&B-(skSUmZBTVWGosKG-Ff57LajuJL_>
zdw1r?^4h4U?;RKYe(0zC9aru>>pEO;weEShUr6-NX-CdptAFvq*lAg4%*LHrh1VNe
zdt`x-5VTf=X_L5^=pv>G^L6D!paqdC@}hd{w$DN=xa3v+Mt?!@W6Jted+*s8s=-?|
zF~k7zg@%`Fpb-bZ#xC(SqT!x!O&HsPMLZK2jX+YEsZ$nMgVsGx<#*H#N-*<2q+@6J
znkvhzKYg>`x-d0f;}^V8pQDw{?eZfZQUfrGiDH&5T{~PJtT3Av`DR6i@4JTs;!jN&
zK&PEB^s=<2+ilr9f`(|tv*)%9aEt*Cod^N9c5AhN<)%qIU90tn6Dkzv>vFB3u&<J|
zv47RB=f*EKrdGAn`VV@}{7XxNCiG`BlDtW?B#Xg;z<m$n9?Dev#{InTo7lAT_iC2c
z&J+=z8$%E1P3$@o@+7~qrkMf!PMd9w67sKl@+UgXfxhnq?XR@G(E;A4rPeFl{idYv
zR@h~)pN}g3)z*EhO+Rd1gqVWC0;htO`^#NJmgLUP+ZtafrGg`cJoSsbk-cQspI;|A
z3rF^ur}zJ=Bw?nY`@n7E^TSsn_Grd@ZR`XtOX6>>i?t}WLIouG+ZTxM_HEhvK<$Xd
z*5j*fnn{~*2d`@0QS8k4#l}(ESA&=m+V&8Izm{X&NUk0_0K}gi5?esZq92N?4iH=D
zzC%j=j90+GPWmMVxTpCc(7!XcYOCEdvyk~^^A9)rm1|k8DlTpi#@Ni%AXll{IK85`
z8}7b~+4#-%7rw<NyMOx8Ah}LnOMK`=uexmo{(0v{xJQ?Mj{($fryqZ^T3#f~)?Z;o
z*1T=*A4;6^+olV**&f(tTXm!>iGKB_x;sv+{(h~=lbFOey3LyxMO+P3V^n<zT)oXf
zcE8f}@@ZX)V#Pb~FU96(p|NM$R-QPY(c98GXjoWtET`0Xp5BoQO{fLugy=E&7()i=
zt_;4h`IN-q!c%j9&Zyga7TXlCiPZN@{)x;GHmiHD)h+x<#jLcVcdgr^nz{mB4F&A9
ztr5j&%$T!WT0}xJDRE~B-a0k^eVnwiC#khyT_5N)5N<2%b?c$e*U{crxN7mo^^PgR
z)zqVls_xL7=gy;d1U|oKEt_-HV%s&@`OTH@1A1?7?ua$DG`H$F?GLo5$EE5HpXnSr
zS@_;+kG1RVj>5*qyhp8unc$lf{w@74y|Xs?UR8DbrX=0=9Htud8w#miNsMky#QTMM
z-o18t;rZ1KSX+F~ymh@5`0elTH;xzTD=H_f*SrzGr-r^gAn-L2zc4pFUYl6B=OHS!
z##tmWrW$`QVhiS2s<Z6S`-I2$n{`s@&NT9(^ZjQTpn63{$l05D1!kbGLgegM*OndL
zHOEute)&T5GzK_Q92Z#}xjzLfR+J+Z8C`WPDWLGZQ9nIFW9>oNlND-(@c=b&?ckM#
zRp&gY*&qDg>Ev}*-ssnFZhIYlT`c*KM-4tkAMexN-bu`%7W$(^&V<Piq&NNEYGBjs
zr<9^BeXw>-keq-0#-*(uluI4yGNhMzXw<Q6$FjHdUeRoQicRCKrU3VC2`#-Mese<l
z8)bx@#fOgh^lZU}E-u`5!dO*-_^_(_NX=a9ZsWS*xEC(B@gdiolkbY#4^fKh;*5;k
z{wNi_cdqTvsBr7j-o5+U4|bhAt{v9>`jqT#uzlcU^oxFaL!0{d8QSx&cpO7JoIV;d
zXtDi*tKNtFg4`jOy#-tFWgQIAe!{m|WWCY$gIPNc>9@rnYj1ewL%=sGDh0YGl8-jc
zyBeR}wdOS@dlB(*W&_5-S;Ux_QMzi-P>i7R!_hxx%ic42@<v@#yj|)$7YnP-pY}Qq
zS)}@&!xnBTV^k+*dEP3|r`U+*Jt%MP9IDJqf+I|*gAwX<p8JdYvFk0J;>(QVJ#`2t
zjWrAEgH9V8yt6hZ7q%Nlb?uq6MYmL^!$lN#1V$FW=XG?;GYt*>$6XmNGZj1Dlz9#1
z7IY>i23UR&S{z=F>hp-{uKy5l^m61$>FYDBO%G^<4c)$w()(9{59TRmS=;w3qpA{r
zT^(;bP+t-=_PAy=JzCM^+@R7Qr>@s+4<ly2PBm5-XeHq<?Ce(B98=fw;N#xo)QrH2
z<j}T@;%!AuF{Ld{^gL_#s4di0o;?OPYBMURD+hMwp3U?9_{>5o&B!Q2qVYvZuWR38
zlQ|x>|NMtg_gV|9-M*DX-+MJ4TXre$Yb8;t3p*aEE^lpop_@!7x_StRx5oc)^;q&|
zclp3urFWwbUvC#1!Y`BUE_u1&SZZ8|e5w74UpLk5zc{G;+%)5{wSL_9<*JK&w}nY1
zhC1$ZPt#MpW?h$aSJ)X;zAIEua5@mPJvs8BdRL=!-SxH&uc!&Dp5?mi|CQ7c`{cUm
z(BP|v9^2^Vvb|k?*H_YLfw!BFNlME1*PH&{Pw%*Q>iLZw{!O*GzGY73w~mCL6Oud+
zWK^ki)4AqZ%hq8QYjukzr~m0NGrB0JM~nB)MfizT%Anf*?!7WvEiQ|`p`&t9cjW;7
z!q(T#ABqpD-F|rV_aBmvhcz$QEH6b$^~?B6=z~FV^C?t3#)cjf{kl8uSe2RDS<6Cf
zV2|PfVUPTC$t^DL&uWrNep}^w`4<MrI7K*uO|O1Me|Oe+XwQ~l5auP8_Cxern~EsO
zm}4uk;wBREL-OR3ww!re%W7X@PT-<bQBtTJsfCth8J(o(J2z}uv7(^myYicF2444l
zcj@p?O(&kd{YSn^l9Z{!a`Vn^qG)|l(>~Xj9(sCFoVz-z{P^A<)ABMmybEk`Zhz5q
z^%c3TG2wz}OYiK`jC<;r%NN<>x8B+le}4GC_IhMSHCUJ=?0YWsLZL}13--wP_i}#M
zG`t)-IzxvBQc3SiqWl?vQFEp{@@&H&jgMxiH?}8<pG(f6?(J&s+PS2m<Hq2g7gh6n
zzB2e~7n=02l{9q1Z;|8vozE+b3SOmM3{MsLRfAeuR$NyVWwkSrq^XhH;!&d+zv0I_
z#-#e(*l9~wwd+<rj`+4crcZN@sk!?p<5YTE(F%q8*-E?PU+bW>BAbTR<UiU>^`Fy`
zpR~4N=&<-vjJeo$>LZB-1}GKDMCyf<7e}`^H<OxY-A)p_BsmXuVZMhu)fIhKEgxIs
zqctvMY~Q$Jt#-j)eBI+ia`e>Z<I2k~<b9vw_-;l(;9vM)mra_a&X#WFbBC_~;+1x*
zxGuxL<mk$j*z(f4M<0snZZ43s>0V4~Ifzkgsm_(ps<lVOKXkd2s=8vxtG!Rgo9uNp
zzBBsHX0`5o8`)RHf|8yx>)?u)&1QE3PZs3m{b2vArf}QY*N2PBZkF^m*4^0bppdh$
zNqO0zOrtB+SbjORQZ{RdmYqP#%gF1XI-R}kf3beoZ%Rj6>3eb#zHeK*EUx}xxf@AJ
z^o6ZvbMZAge6;VW*Gk`jqlw+C`f#qyRwuf%xv*_;*1E^t%GH6W$G3iKTdC61XWX>x
zu&ri~88&}#k#WEEAEk14%!rqw(fFlQ^wJvMmgmT=CVFe?4h^*j?AmR0L_JXEoRO8R
zRLr1zx57<tZ0@=vK03iZjm`NcGVvFaJZh*6ka}+5RZb$^i(2j<cJ!~~{?i(*ek*M$
z>#9FlpL-zes)DQT_EfdExA7SV2g@=~y<Oh&oqHO<Ze@U5p3k-kZ8w$AB<?#g2Xr=C
zr<x2t4;9+C@4yd(+53;o_|-A1C!n)u@%`Alw+m|)F0TlD{J6iYch7^;rm$I0PtRT6
zc(FOYKYei3^P?t(o@V~NmhRb-bpQA5RkitPNh(&qD%KA{`!3~Ci7)-S3AG733JOkL
zbv5fG4>>cy<5_)Kt`!{*%qiL=OAV3J2P8y>-j~H)ncg?*M7MI6;as<zUm9JK-YD-a
zY5NB%MS8$1wN}NWd*w;5^s)+x6nPj5XN>eQj|VP2^f>1gO1IBtFluYtJ-(U!VWk_X
z=#>aq35H%5l-2t=t?W?RUV6VfA0nO6iPVG&^1I)gozI`!BoY=+Uoq<`YW<rPDyJLP
z8)Q_(d{|}?`_aZ){i`e&d`9-#WSaTx!{tswPnCPR?<U~OvZJzUUBVx%483>%y7Pj<
zc4Bm8X2EIYRYygVS~rJ%Oi;7W_IK;jOMaA-*gH?`dP&T?=)$heAD!h+{Zi{oYm7T<
zsIh-nwv?>ehdI`zB_sxbAv<-zDz~{#Z}5l1kr+kmz1a?C(M2Uc52Ot}v0hqvry{S;
zLa1umSCPuaEzi~6JMJ~a=bcviw)E$D8Xp+Ix9P%$y#u9f{b%IRq6Kw@HGQjG+C5M^
z;?mYh$8SbgR+HbwbPisn8z0lX6BRo9M{~dJ{g14j+T(o{UlFq(T{pUH@Tf+D0ZfmJ
zHdxt&p(C*2gV^#tHs24b)!SsYTzff3;r=Tv3?UM9ilMJpGr+3K6}v5+)YWwh11sH6
zH*XDFu<ls&>;5M{rQ8V8LrXcM?kacrcRN1Hb+|;$Iw!>dHwkWfH|MW9I7@CR?V*3I
zs`t!)UN$$odd_G2%HWIcFK((>r=IHQ$TzHd@=iQVx!0iAaz(D_uDVVO(wT=I-Tp11
zgZ{EVz8dlsDp|Df;rWIa&-&-Rzf_%>i1%-$tI4Py5B5Hm|8-(#;!_52dcXi~)ZUcy
zk6!1?^=#-$*H_-l086HyExul`MWpnK*t+cBy8N>TA1zv;qz05SvIfJ5R#{p0+0x)#
z@myJRdct=txw{XQN8q<M?Sn~s%vaaU_wj+us{3_UdaU>5ceLdj6`i5B=pRY;+#U2|
zvh;$aI0FV~P4WKov6s`U{*8m*rKe+Zqvi$Zo@jrZd^0>JH!N~tVp@Y~Sx<LKZLy)2
z=+JLVR$qH!xTsglzgJTe6L{U;Rtg_08S|pJY+yZ&a%IE(l;?peYi^h8cWm^Jp8F6V
zmbXpR{O6|&WM=Iot^B=5NMxnoRz+Ls$2S+nm-j|5lU&7MeVXsyqxNdN%e=N4nIY#j
zL3vqq*H)VY)yR8t?S0n8^`=3=450VQT$2I%T_4enQ#SRv$SB`FF-ytirL;*`b9~{9
zFr5bDrN0gSWVcu2CN6;R^ZlA8*J<YdG4y4Lbu|gW8BXeLZ`N*NfV&O))tKrS`J$HZ
zViJ_!drQ3u@3QT9wYtvF&^CLf>bjdl-usRw5U(G9n;birkavj0_o9ObvY;NjV$*LH
z{iEw^%!B>AH$0t@c@S-wgT55K$HLl>x^>gZwmTm(yw?pT|LV8-e#_yD1MAE!Bg4yZ
z2bw!5ZoU_Fp1z9teNee?adr9S%KLh2R-Z|KBXXlpYhduU?nC20?5d6=L=S3tthehb
zc+yvJ+Un%vWg+!7HuG*qm)(jfns#5o=Mpj4cD-ZXP;__64(ky4lJ@XoV|wscn3A{e
z-ELpaQFTh|tEkNnsWHqJYZQ;JEMS1Hv&+|2>y#_%Dd(J=dFdveZrV~$9~7;6&H%>P
zkIIL;tP7NP6+PN%RdVp3_%78@>-3U`S(|S~^!=o?N!xa7{kjF){EjHiIn#C4Y_a&C
z&V%*Y10IJ=TFd6;lw8=Ln({0`=C8`4?`J%@ft?dh+OWQ*BBg=>bQNzkb}UWF+COxv
zPs?}BP{e?B%8NrShkFNpvXJ~Jm120Ov7z9u^1e4B|CDpEt~CC`Dt!JAmS2@I9<WxY
z=EK<;0AF~bkOe3iU<<JD9Z)b_`bCfOP6z<`aVXI6C8IZBEs--<xKt1Ys6;n6uowao
zKoaUfUV)&H)h?)%1;Zs<ln@g}%7385*m$@!jFMx+kP$VT4MQrFA`oTD0pJj7E*H*5
zeaoUTM0j<P#bpO%4Ll#E$6RPeR^VzjhBFtH5tre*JPHl%LjI-?Bmn^58L;ojD%&#j
z$Zrjz0Q}Y<Kt8-`rekELXN-m)US)pQ5Q+mL+u)KWa@Wz*)6Hc2$AI6&%M{}3Ov@DJ
z!py~LNH2yGX8Q)$<$1oLNIc(A(H!3pPlQk$8K^`do@~Sh<X8$%#6RX8X$hH3SOO?X
zVh}0Z*~`%jsYdX&BnM<k{7-m}T$)E(1K2ux^RJi!M~X9P)P;2Z1$~5yxrlCYLhLvq
z#gXC!0~!@<V}+Dh2NXQ|k~~KebLroaDzNqr?V)g%`k7)Jsg4wmJ;=%~N29AfiO+7t
dS1&U2g@Xh~KQk`-nWcHe5K1_NU}Sl5_<wlRIw=4E

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_855.py b/tests/bugfixes/github/test_issue_855.py
new file mode 100644
index 00000000..c1c78bdc
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_855.py
@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+
+class OutOfMemoryInPsdImageReadMetadata(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/855
+
+    There is no bounds check on the value of resourceSize,
+    leading to an out-of-memory error.
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/855"
+
+    filename = path("$data_path/issue_855_poc.psd")
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = ["""Warning: Failed to decode IPTC metadata.
+Exiv2 exception in print action for file $filename:
+corrupted image metadata
+"""
+]
+    retval = [1]