From 4429b962e10e9f2e905e20b183ba008c616cd366 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Mon, 22 Jan 2018 23:56:08 +0100
Subject: [PATCH 1/3] Fix out of bounds read in src/pngchunk_int.cpp by
 @brianmay

- consider that key is advanced by 8 bytes if stripHeader is true
  => length is reduced by same amount
  Fixed by adding offset to the check in the loop
- Rewrote loop so that keysize is checked before the next
  iteration (preventing an out of bounds read)
---
 src/pngchunk_int.cpp | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/pngchunk_int.cpp b/src/pngchunk_int.cpp
index 57c9f62b..19f5d9b7 100644
--- a/src/pngchunk_int.cpp
+++ b/src/pngchunk_int.cpp
@@ -103,15 +103,17 @@ namespace Exiv2 {
     {
         // From a tEXt, zTXt, or iTXt chunk,
         // we get the key, it's a null terminated string at the chunk start
-        if (data.size_ <= (stripHeader ? 8 : 0)) throw Error(14);
-        const byte *key = data.pData_ + (stripHeader ? 8 : 0);
+        const int offset = stripHeader ? 8 : 0;
+        if (data.size_ <= offset) throw Error(14);
+        const byte *key = data.pData_ + offset;
 
         // Find null string at end of key.
         int keysize=0;
-        for ( ; key[keysize] != 0 ; keysize++)
+        while (key[keysize] != 0)
         {
+            keysize++;
             // look if keysize is valid.
-            if (keysize >= data.size_)
+            if (keysize+offset >= data.size_)
                 throw Error(14);
         }
 

From e0ab5aaa87322808274eb265f4ab1d2b35ec5a85 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Tue, 23 Jan 2018 00:12:59 +0100
Subject: [PATCH 2/3] Add error 14 text as a variable to the test suite

---
 tests/suite.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/suite.conf b/tests/suite.conf
index d143f780..134b1471 100644
--- a/tests/suite.conf
+++ b/tests/suite.conf
@@ -15,6 +15,7 @@ data_path: ../test/data
 tiff-test: ${ENV:exiv2_path}/tiff-test${ENV:binary_extension}
 
 [variables]
+error_14_message: Failed to read image data
 error_58_message: corrupted image metadata
 error_57_message: invalid memory allocation request
 exiv2_exception_msg: Exiv2 exception in print action for file

From 80c4d951714997f0f825e919525882e7123104ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Tue, 23 Jan 2018 00:13:49 +0100
Subject: [PATCH 3/3] Add regression test for CVE 2017-17669

---
 test/data/issue_187                          | Bin 0 -> 218 bytes
 tests/bugfixes/github/test_CVE_2017_17669.py |  16 ++++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 test/data/issue_187
 create mode 100644 tests/bugfixes/github/test_CVE_2017_17669.py

diff --git a/test/data/issue_187 b/test/data/issue_187
new file mode 100644
index 0000000000000000000000000000000000000000..3e05cc9ef167aa87fc9eb690993b417590b9bae8
GIT binary patch
literal 218
zcmeAS@N?(olHy`uVBjrrjVJ-q3LwnE3?yBabR7dyk|2rT{Irtt#G=#&$CUh}R0Yr6
z#Prml)Wnp^!jq{sKt=okJ|V7YXU_cp{~yRRo|!iD{~0@<^`bydqNj^vNX4x?lMVR}
zDDW^(p7DSGP7@K%D^`h#3(PnCP~qlw5q7!Cly{KJ{S52E2g{rC#W~LJ3R$6OAeGPf
zVRG0O8-Xfc1)rbW4W77oOmk84aelYb;@ioqvjcOUepZWN;$gUy#%#Lb`srCf%NRUe
L{an^LB{Ts5A&X9$

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_CVE_2017_17669.py b/tests/bugfixes/github/test_CVE_2017_17669.py
new file mode 100644
index 00000000..803bb92a
--- /dev/null
+++ b/tests/bugfixes/github/test_CVE_2017_17669.py
@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+
+import system_tests
+
+
+class RunPocFile(system_tests.Case):
+
+    filename = "{data_path}/issue_187"
+    commands = ["{exiv2} " + filename]
+    retval = [1]
+    stdout = [""]
+    stderr = [
+	"""{exiv2_exception_msg} """ + filename + """:
+{error_14_message}
+"""
+    ]