Avoid negative integer overflow when `iccOffset > chunkLength`.

This fixes #790.

src/pngimage.cpp

@@ -33,6 +33,7 @@
 #include "image_int.hpp"
 #include "basicio.hpp"
 #include "error.hpp"
+#include "enforce.hpp"
 #include "futils.hpp"
 #include "types.hpp"
 
@@ -468,6 +469,7 @@ namespace Exiv2 {
                     }
                     profileName_ = std::string(reinterpret_cast<char *>(chunkData.pData_), iccOffset-1);
                     ++iccOffset; // +1 = 'compressed' flag
+                    enforce(iccOffset <= chunkLength, Exiv2::kerCorruptedMetadata);
 
                     zlibToDataBuf(chunkData.pData_ + iccOffset, chunkLength - iccOffset, iccProfile_);
 #ifdef DEBUG

tests/bugfixes/github/test_issue_790.py

@@ -0,0 +1,27 @@
+import system_tests
+
+
+class IntegerOverflowInPngImageReadMetadata(
+        metaclass=system_tests.CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/790
+
+    Due to an integer overflow bug (#790), this test triggers an 8GB
+    memory allocation. So the test will fail with a std::bad_alloc
+    exception if less than 8GB is available.  On Linux, you can use
+    `ulimit -v 8000000` to reduce the available memory to slightly
+    less than 8GB.
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/790"
+
+    filename = system_tests.path(
+        "$data_path/issue_790_poc2.png"
+    )
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = ["""Exiv2 exception in print action for file $filename:
+corrupted image metadata
+"""
+]
+    retval = [1]