From 6fa2e31206127bd8bcac0269311f3775a8d6ea21 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Thu, 25 Apr 2019 21:31:50 +0100
Subject: [PATCH] Avoid negative integer overflow when `iccOffset >
 chunkLength`.

This fixes #790.
---
 src/pngimage.cpp                        |   2 ++
 test/data/issue_790_poc2.png            | Bin 0 -> 26 bytes
 tests/bugfixes/github/test_issue_790.py |  27 ++++++++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 test/data/issue_790_poc2.png
 create mode 100644 tests/bugfixes/github/test_issue_790.py

diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index 23162d95..4ccec39d 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -33,6 +33,7 @@
 #include "image_int.hpp"
 #include "basicio.hpp"
 #include "error.hpp"
+#include "enforce.hpp"
 #include "futils.hpp"
 #include "types.hpp"
 
@@ -468,6 +469,7 @@ namespace Exiv2 {
                     }
                     profileName_ = std::string(reinterpret_cast<char *>(chunkData.pData_), iccOffset-1);
                     ++iccOffset; // +1 = 'compressed' flag
+                    enforce(iccOffset <= chunkLength, Exiv2::kerCorruptedMetadata);
 
                     zlibToDataBuf(chunkData.pData_ + iccOffset, chunkLength - iccOffset, iccProfile_);
 #ifdef DEBUG
diff --git a/test/data/issue_790_poc2.png b/test/data/issue_790_poc2.png
new file mode 100644
index 0000000000000000000000000000000000000000..ec76eae066cbceb324db03b7fb531a9e50267e84
GIT binary patch
literal 26
hcmeAS@N?(olHy`uVBpGhb`Ho+Ei2EjN-aud002+s2Gsxn

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_790.py b/tests/bugfixes/github/test_issue_790.py
new file mode 100644
index 00000000..5259aebd
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_790.py
@@ -0,0 +1,27 @@
+import system_tests
+
+
+class IntegerOverflowInPngImageReadMetadata(
+        metaclass=system_tests.CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/790
+
+    Due to an integer overflow bug (#790), this test triggers an 8GB
+    memory allocation. So the test will fail with a std::bad_alloc
+    exception if less than 8GB is available.  On Linux, you can use
+    `ulimit -v 8000000` to reduce the available memory to slightly
+    less than 8GB.
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/790"
+
+    filename = system_tests.path(
+        "$data_path/issue_790_poc2.png"
+    )
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = ["""Exiv2 exception in print action for file $filename:
+corrupted image metadata
+"""
+]
+    retval = [1]