From 36df4bc997d74ecc447e4541e2fc3fda10586103 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 10 Nov 2017 15:12:55 +0100
Subject: [PATCH] Fixed potential out of bounds file access

This commit adds a out-of-bounds protection in the case that the
extracted values for offset & count are summed up larger than the size
of the file. Also this function checks for overflows before performing
the addition.

This fixes #159
---
 src/image.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/image.cpp b/src/image.cpp
index 338720fc..818af4e7 100644
--- a/src/image.cpp
+++ b/src/image.cpp
@@ -73,6 +73,7 @@ EXIV2_RCSID("@(#) $Id$")
 #include <cstring>
 #include <cassert>
 #include <iostream>
+#include <limits>
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -459,6 +460,12 @@ namespace Exiv2 {
                             io.seek(restore,BasicIo::beg);
                         }
                     } else if ( option == kpsRecursive && tag == 0x83bb /* IPTCNAA */ ) {
+                        if (offset > std::numeric_limits<uint32_t>::max() - count) {
+                            throw Error(59);
+                        }
+                        if (static_cast<size_t>(offset + count) > io.size()) {
+                            throw Error(58);
+                        }
                         size_t   restore = io.tell();  // save
                         io.seek(offset,BasicIo::beg);  // position
                         byte* bytes=new byte[count] ;  // allocate memory