From 80cd0d2990303b5ec45857fe286d2629e99dc9ee Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Thu, 16 May 2019 08:36:26 +0100
Subject: [PATCH] Add bounds check on allocation size. (#854)

---
 src/jpgimage.cpp                        |  15 +++++++++++---
 test/data/issue_853_poc.jpg             | Bin 0 -> 15780 bytes
 tests/bugfixes/github/test_issue_853.py |  26 ++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 test/data/issue_853_poc.jpg
 create mode 100644 tests/bugfixes/github/test_issue_853.py

diff --git a/src/jpgimage.cpp b/src/jpgimage.cpp
index 63c70fb6..dffd611d 100644
--- a/src/jpgimage.cpp
+++ b/src/jpgimage.cpp
@@ -31,6 +31,7 @@
 #include "futils.hpp"
 #include "helper_functions.hpp"
 #include "enforce.hpp"
+#include "safe_op.hpp"
 
 #ifdef WIN32
 #include <windows.h>
@@ -459,6 +460,10 @@ namespace Exiv2 {
                 --search;
             }
             else if ( marker == app2_ && memcmp(buf.pData_ + 2, iccId_,11)==0) {
+                if (size < 2+14) {
+                    rc = 8;
+                    break;
+                }
                 // ICC profile
                 if ( ! foundIccData  ) {
                     foundIccData = true ;
@@ -481,14 +486,18 @@ namespace Exiv2 {
                 io_->seek(    14+2, BasicIo::cur); // step header
                 // read in profile
                 // #1286 profile can be padded
-                DataBuf    icc((chunk==1&&chunks==1)?s:size-2-14);
-                if ( icc.size_ > size-2-14) throw Error(kerInvalidIccProfile);
+                long icc_size = size-2-14;
+                if (chunk==1 && chunks==1) {
+                  enforce(s <= static_cast<uint32_t>(icc_size), kerInvalidIccProfile);
+                  icc_size = s;
+                }
+                DataBuf icc(icc_size);
                 io_->read( icc.pData_,icc.size_);
 
                 if ( !iccProfileDefined() ) { // first block of profile
                     setIccProfile(icc,chunk==chunks);
                 } else {                       // extend existing profile
-                    DataBuf profile(iccProfile_.size_+icc.size_);
+                    DataBuf profile(Safe::add(iccProfile_.size_, icc.size_));
                     if ( iccProfile_.size_ ) {
                         ::memcpy(profile.pData_,iccProfile_.pData_,iccProfile_.size_);
                     }
diff --git a/test/data/issue_853_poc.jpg b/test/data/issue_853_poc.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..7dc50d30d27ecb6d41e98ca8a40daf1e5ca48c0a
GIT binary patch
literal 15780
zcmeHtd6*MbzILUPkW5S&6O&0|7P3^CrK*xt_R3yayVISf*U)s+K+`l0bh9)xi-0U5
zf}^77sJJlhf{GiWD9SjB`wA-JzKt8sb)4%c4x;q;J85Rdd!IYsbD!t?p6|JTeAU&J
zlS-vh=RLpW{k`Xmy*2g`c1F3_P{agv7$$%}Z0sZ^a${qkoc6bdTyA<x+oWPcQvnkQ
z#=bx8OAI!+4x7JVba7iLYw4QOZIQf<2{8kv!3b<(U;mOt=$iku!Cn8p9eWe~28O-P
zprh+=$q(-Rw)379*&jcBVFQPwbN`#|j9CLq`r$G2aLqY0;m4u<2WYEjcC_W7{RW0f
z<+J9`nuTG%`UuW%9;{s>n}e<y{KYlHOXttUFxhH!e*Qq;5@=rrZDQuoqETq?LFX5b
zfA_gs`xoCG9q5Pq$=-wW@?}d0;J0K5mrct@(RWWn{a5!dT8!G~Lp#zxrw^_<?J;Q6
z<IfK*44b$F0oYK;g;_2fX8a6mnK|6oKV(_b-#3iz`hR;vV>NzH;zkTpz_UH{YX8#3
z%f`=%(2E$8VG2x*=`k~A$DA00`LPHV$1+#}D`S(e4r~fG4eQ6|VDquX*m7(&wjR3x
zy9m1syArz=y8*iuy92ui+l}qT9>bo%p21$k4q}I~cd?JK&#*sXf5DDnCj<h4M1Tv<
z6zByL1*Cuy_ytixN>C6q3EBix1TzGKf(3%5g4Kczf{O%~3$7L1B)CIxzu*zU6N2Xj
zhXij6J{BAmd@J~|PFN@Rhb?S477WKi?06@}kA8TO!N2p=tK!rvyrA;}G}6Dsm&P!Q
zOdt|sb%L=mOc2>}dhh&WV5BE7(U@iYHu6wD*WzP+EIT$fwhlvJ2|oR(X32uB>oCES
znep}qXJB&pCUOx0HUka<@D0?iheKVh4ey1&5eQG6hl>RhPPLH(DzVeh^}-wBpgDCO
zz9IPasW!TgcD&t+VGIAu4HIq?IBN(9YEJ?;#H6)93_VBfNo%iqqrzlV5M~8KnQ52V
zu2YhFrO&7c(pn#54iGwzMNOC#q!E|GvnepYRm)n`9*4zCYF#?9%c!v1aGzam(uxVK
z%w>{VbrPdNY%!}W3W-93B8nZC*exo9Qi{t&YL!?e6KQZEe5App3Y8R>Nc9Sd2A3Ea
zigYnrH>t4`GP^}?u_#SC01uuO{f*;Udy6`QwpyryGvf_7o;p(p28OObwL=@Ogz*y9
z8tAHj?r@Qy?z3NBEQIkApy3sYpuzYp9;=G6YQt6)Ys15giE*1FW}Ks}0V5u_so)Gv
zXw5bi`j!w2xiulX%5PTqt?IZ#=XGoBYN1&r1!M@F*sc_kaG5}-mjI$Rz0#<WY2`w-
zQfiP%3`&VgE|N=SYNcGKl*(|af$`cYug2w45Kg6yP+P1jqaGO%+JD*a{{X??VSv}V
z@vaNeqt$v3NI)C9i;e;z>i0N2wJ!l|2phQh_{B8{(RXXtz!A=`6@+ZsXuuhWIs%kA
zO5kCKHf&MB(G_vWU0Tke%n{1C9rrmj5`>~400sg`I8;HqHl&yMjL2SG7O_Kt?80tS
zG69**T_?wJT$ze8$&e%9(BO81jMj+3)+mDn3<n;}rb1sKbjVn=I^3WVs#J17(%^RJ
z9d<ck1Bh^w5%mtPM);ssZL5LxkKQ2=Y8^yf6Jg->>uNYa@8Iotf5$ru$8p<%k526f
zd1PPXcNoWW{3B?K(e*58i+XJ-+M0x8z|Q$e%%VzI6`Td<EQ+vOgaAG8(H~#=_~R$v
zdT0NeNA|0{HXWsxc-(s2VGuhEvXDy)e#h!%PO}2M&#9HT?KqeP{I=PE6K0jeqS6>}
zi(UqXqSYxZxKs;R;Bq*rQz(_V#N?*IdJHa?%0;S4r^;qine{>#T6n;5XvQ%?@E~x}
zE)oiHjZh}RL}E-R{rjlb02&8k929gDfUgD_907=NJA<}BBoIjjVo_Zk+(C>W8;7X|
zEBt!IPbIu-3yhwp%{fYwb*i$gHR-dZttt+D%7UjY3ctsc@|eT`rBDDJ_dB&gLJdaa
z*GZt`9ugrHup(Hzb{%Vw0bGPt;nssAiHtg#QKJArAld*>I*mdBhJwqL8l_sTrNc2#
zIz`9h?r@k0`fVPc*5MW@<aKp5Yd~GnVp5q{EXKfc>%_=y#)tnOgAH%d4i@k$6e6H4
z6bZyaOoC%F9Fs`li}1D%`VLkF9fms#MFE%1Pg~=DGV8TvXz05#<_=L$bJ5pQ(L<Tg
zi!q2ToCAV}N-4(RD?XDrte3&g(t0nU1qbk&6dtpRBDFq~jMB+Si}s{l&05ZYKn+m?
z#?EHM!G@ehwMmKMxlSuH=y9t_p*8EQcAb-S(p=i^k5TDjs8I3diw?d-r;1K4Li+s*
zi$$i<3UIktii;#*1YqEG==o*1Sf*5Kl`6en16HLq>NOgTNGt__&=?B=pxW@)iKWN_
zkPQhj5p6NDq`fiDlo+xcp)x+3->l1dh#X@pc!@?YQ3z3uNmoP2oefgB#VE5<e8^wo
z!ufzZ7j_rY@o2g-W8Uh4HCtBBU9vFOx-h`4V7Qf3V52{NQM~E0hMwOP+Bfp8o1=v-
z?SoehthlmoWMy-=D-`ReeAne$Zw;oe=<B+3;jDWX&b?w_c-7=7BQB5CYIP9~ok63Q
z<7!+fm5&Iel3IKcN$Ny($R}$?07EMg*-XZfwoE0)HWaeiT#EI1!Xb(adz@}NLk==d
zJ8d&sj5>o<skY!|vr$KzO%|h#u&Y#xIvM0yiBKxT#4@m<aT7r|NB4(!LW{-jCv0)r
zmUi1SjEiTTW-CEE9kiP)_=x(1uae=)g=AwoP>geOiyih1>&^K&AHlipQI{bXA^=qM
zL_Q+xP(}$QYg5JS>V(@2i3BXrWl%s$f)K$t4d5xXRt$dRGUEZK269%wgnJEY)~W~?
zWnfM=Jr2)hQ_2~K!E46Bax4&Y2^~W*T!xRO3&9j0D^x-atzbEUN_Ru=AU~zASe+fM
zR0HKIldsshn38ZR3?^Ko7lXHH%xVK^AZeA>fXS4|Da0aht2!wzmMY;0b|n<cgkp5W
zB*404U`;ig!0;@m;_Ucnz!97aOc9Nb6k-e93dTn!5|AQXA_G%}ugY<QL}!pFv|z31
z*8qB%1cm|L0-$`rTOXz}AxECJ7DMisTbp^A^FI{w?u~nI4Tra~%q5g1q*BP`QrKh?
z0i};n<`iuUL+EC-oKsaG)N(j4k_JcvWP1od;E_Iq63CIysYJ0^FC$GjcxS+@0tf+k
zk68`j2XM8U)P9!%xRRYPFb-#crsCOrp@LzR&P;t3_GG1tYpBLLr<c0s@>AzV%B|)~
zHQq9XYwC3RBU&%5^>PL(sG$QII&2BXOrfkbP_P8zGQCxz(9}W>jJZ@IlS1UK6RW_i
z!SVnW1gcnyLJ^8mKmH;Z3+fP}5TU^+r8RWL$XLY_YtZ3!QY8cfkzC39NZxIQP@Q6|
zNrp^>-KhYPaB4V0mmqafn<_vU_y8I6T9gW*SS<7#)KNn1cN!q|Ln>qS65v5Tt2RRD
z2)zW@qC<}ZdGK3sxYDARz=OGU3a?28=iPRjFA_~Pv=m#rlMQWrLtCs^iRLSTH1CPG
z2MTTJ=I%mAPqfmRtW<;LHeY$V)fZ4WS(`Uz31&>utdUJx{V_a{!reYO;gM?fQjI~O
z)<eKTP}F=9@IesOqBS}xk|6}ZOHs52G!R|E1n4cwU~sZ-%75Gdu3BzHH<XFxC_rKg
zC5CJ2RLXRm;r#@_#Zx5bHuD}FJTl`n0~tvBiG)K1VLnNy;Rt*Ne%<dx{1MoZ$BO%H
zDj%VQkK6`4qQ}9UfC7N0j$0S_H~2I>A<%O_X-QEIE)?Yo<w8?eve05_>WpTJLB149
z7o&WGzfd2Z)Sd3^<2(97O;x(sMDtT!X&!Q&L=S9<#O)rfJ0ORh^x>3G?e;2ZzuL)4
z>`t*#D^eRUF)jdDB;cLMSp_oXUuupk1th@*QBeCkVqjY1&>@RLMpak$%@}f1875bv
z9oL97TA@-UkgGVBOn8Y<h=_Bp3~S9Z)-+{Jxio1~%lmXdmN~}60rLl*tpa;tO*+3x
z4Ka%*RYASXZInT3wCiONhb<drGO0KKz~^(B`X(+@^u-c^RKb_#BYcTV@`3u6O#75b
zxgEk5m2PlwNjn<=?kvF36JaWCo!%rd+HsRp;b4J$N=$^>=)@gC9TS!-Gyp>_Y@vRL
zq#{hBgvbR$4V^fZ=D|Rab%?Q}g8ordc>)>0u#Sa`EW-;I45BvLng(W%{_=fxbm9C{
z?|abaZG&^r=cgf?15Sx(<@g2^LnsnYkVt<eJM9d_s%jJkycEoI++%CMkAf;Z8eXT+
zN}yX(B_>iuJ+>HwG6hGQ!)`ktp*Rkb3<-W)^qP390t~TWQ}b@ENhJrT1%nGabWp7X
zjcSN!Ay+P6=uYx{D&1D?t8@=Gb`4Z!40p_3J!NE7raCiI5z1T!HRqu-TsX_~u0%4L
zFUF%>h>OJ2sR(?t(weNVa`jz&OINDW8Q>c{90zpE;GqqqMWa#FB0O|R2;m95=oF|@
zr4ZN3OirK!Dms8$&Jf8}kSvfPLM#JEg<XPTlT4<>aTQ{!V4dKH;I7DZQ3Ji8`$7i5
zu`{GNT!hIXM&fX3BIrr6&Kym~DLb&ST#(4xwP~j+L+N8-$P#3R(d6u^rlg199EOBh
z6)`K~z{|iK32l(n1`W8+fTQA=)IvOmv`J{>5M3d#CnNrJEW*bVp>#aRaWUBPxniXg
zLRq}h8IGkr!H_eQ^cRY*5J!6ac7`(1E{ntIHbT`{dv+k@BE+i@1snG=#3iLdok2{p
zTFNigYH+Ov0=`h8k*W=HtqIrZf!|8?$iL9|D^((yN`zbw!d;Dl!kv+g0+ENG0NarQ
zc(4l<Dv0eU2}^LEu@<~8p7X_`9xmd}CFzVql_S&zmjT=pY$QgiGF~F#(c6_0NW6ZX
z3`&@oNft9IIFCN%)<EFmpkC4AL7ft6U&gKm#sSHZB@my5EKE7*SRz!2g#&>=JjrMC
z#eBJ?p>syMSnrRe1Cc1>3-~;g%Hak+PH+*z?;&W$=%F+W2_;L-4{O000<TyEylQ-y
z;XD|KRIUVjF$Oug%^^3E60J#Yc3Hep$OtM=ROJe&oj%AB8pf|M>g$wx=sWZpphlb>
zY^6revAh4V0ZfSVpN;|_WI>r0s!~MdM6#U6%6m+_$Ch^J(v%rMNd}#%fHMa^MQM1a
zj<c$YE=|sX8`NUaEz*G7n)O>Cz6W(s_$i=%feRqSqZ-(VM@SXNP+&JDaF+<<F=><<
zo73&(!jXJBRmc|`3YB7^lCN*!GP!svPJ1XP>9#s;q)rV?99O86MyuZABfUN%<cF}w
zW=hT&PjN9l;ZSSUG8qm}4weMwqSTqdT;v)XZnT@dF}Z`*nF*D}p)`9eOa@qm#uKmv
zk|tlumI?#Uu=?U)QgWqMs*sE2h|Hp(53c%;pf3au24h0G0WN?s2F}4p-2hQNV@^_9
z-lGRhAo&3-5lYVmsI;F<L>vXyRC1_52Ek-Pze$mVkL-AuvI2pK6Y`8n5z>i~^_XP9
zayh@JTqvXy>7Jgs)4QfR9BvowO(YWKRH8m#$Q3H-Oevg5hGJpH>!M9ohf!}+$br79
z6;iEIq0y-ocBhSv5uv0fU8EAc%Fd|hgtMU<&Qx5<A`{K%JRzmksW1_Gn?q)ILR&|3
z&OjClCBhdl`#4)LW)G(<j0$2uvKuIRz@vnMT49L6aojwRg#bztQGqf8VS;4O2khCf
z1K1LrNxIBIr#Z`7^0bntwBTKFr@>^zfvy$IiUg^JvNvIqgQ-9z>t}3nmnP&ggsf_a
z$t*#nb7h{-wRZMSA6(i#ducjTOr`jAI$bHZ@P$ew&V_wZ*2Pc`(rQxKHA<^NZO}o{
zrcfJpD)k1fLIp(uP;reDib+2ZBZW8M;u{OSBYaygoo#m(+L&}B5zN?_lqnDe3$aA%
zsaz-1+TzZ%Q^`ieu7X)`Dh&X_#?1Z*Sc}~1ltK`e;3BzSq=3+^0dGWPs1~*WB?Od6
zxK^gDQx@DrKIVqOhfrHjsyWgC)rLeSvaeGFZF(dkxeZBD3FS!Ip#?7iB%-7x#8|ru
znPMyu3HrSq-K`DfN^9?=$$gNOru5C8Ik==xDitYlsT!B-G)m~QN~c$w?Fu8QBt2xT
z6l<OqY^Yjdc~>-RNi=z(o2iN?)u7IIdP-9w&3&#?)m!TF<y(LtSYicWkd9E+!luok
zoQ+LtZ5|XZp%)N^fmnk#L977^Q0pU%HOj?MfhZtJDWPhv#S~FI>f(K-tVf%5D)Vkl
zfwdNBE$`3*?Ss8QYEc-8x{^K%7ywXq`fN$Wta6%EL9+s~PM9zz{qBTM6Ju;i!j@$m
z9PJIK3YqGRmaeIT%h&g9xN_$5^#cR*s;yJ%%WaTszyLyC59k0u5Upkf6mB$OH=U`_
zDdo6yB4~(OwMMN6gV3l9YDgFWk%0<0auqXIrjlh7$6LY~8r-4O0fQcyG=nO%JCcoT
zeU-|z(xqysZDz4=QKn}Y01TG8h+MlV%G<qZrPTrDQcdVM6_*hq<``?xtq-{EA%_7P
za$H`k%7Au>5up^NS$#IlfM3Ky1Z3Sz%$@R@(u^L0D&UhLv?bU*nxYfjR{}wdG3kLa
z#z8!BX=83f%3<JLhO?ZOB<l$VBmYug3C1{=n`XF#JJXP_&Yrh?<D#o>U-H|VM>lV2
zY--Q)nLvO|2fcnb$(l7jn*}(vkES5DnssWuQUPiau2iT%K>^hC8l~O>sfjDK8v{v*
zn;OEW@`Y^CtTWT><SYJ6GXO`%>dm2)GuA|;N|DB%roNHN;F?5rPOzyb*3uhmoe5Z*
zy>TGgP`80eL8h-0TDX$QlP>TaXVlAV77zmpAvOo~YKm)0r{lD@*B_fhbMvXl#WPl4
zGI`d5Xl|oFaXuB?9LjIzCtX<V+SuMdeNrEjC<L?3b`QtK3jX>w1L-k1XpPlrv@se7
zWA{cK{ut>EIav;(nSt@yDWB0o0D(|w)u@J%f?fz^xKxJdJM1;yps)|ORG++V^?e&h
zUb$`SE4Oaiwy;`GN8=HX+v#RlZ#c+WNjr!iR?<N;UYc}JUXR1=&_LZKSK%6iTxY@!
z1k@WUlM6Rk#lXG|R)x{7(ApFx`_`REF1qOYZ6c#lPX`qgCwFmB>uS6ybFiTDr<C59
z$;|{Dj<AQ;S_q|qh=;s|6qgLRGa0^^<TGw&x|^Nr4vh}5=lD{WEZBTS|LD3>^}KBL
zLcY4C&~;_Yta+s_ccMTCQ_g6?!IhXu4uSyO)=mZV7Ng4S)VY16CrVO5yDvoglQ!CK
zcF+dePx!n>3(RT|G81$M*b<0DP!l4?fP#N51%UDIzIf%1b+cc-?V`8uzvA6J+b(M3
zR}WP0S~dH3b9ycHS+mWdGMcnTliN-(pr<etOFE!X1UXWq(JOU?9OxZx5UVtxUjWqu
zdM8sD03Vr_*mdC9J<q=U;0rH6qF1`Y0E>c6D!p+9o7M+%5TkV7fYupwQC>bC(K#G?
zqZL%NEEnW`blB^v4|;fueZcIROR>wm+ybZn+_Nid8oDlO?Z3Fvck$%8zpc&%A+0&x
z2qxi<W`g<lP_fG9D_)K#xirc6wIr={GJuMcHWF^5+Xn@bLZgLH2ebl$pBS-9m@Gp_
zu$r3(=RLM%#j`svc<bJ)KHPKd^OwxMaG>R>8#eyosx=%NKy=q`(OIlsx5MprLozS0
zImA;mT8Uf-E&*gjs@4M%P_xT)He@>*Gkhx4>K}UL@KbNUvvudLazj~0hb11)7;l73
zj(a$3q+sGIS`VjkM1brSgOrhUE8I+m^?)03u}C@|X-I|=gu9<$=h$7Np7<&za;}Hl
z5X!GhP1;yowl3YiI#*qhD#v{s$zf-JOQ%X~rj=`+>g0HW<DI^k)f3jaSTdLdk_8Bb
za}_q<2=<}_V(AH32`6wa7-yJzP^naqC?F8ZB%p_&8W|Z2Xrn^GmgRF^-nseZdoDV3
z+or>}UU=xnb&qVAyMO!Y$1h%JwSt8(Mu!vNHrs7_!rtGt!ew<q0HTyynMMs30cb$z
zff63+x*D@cqZWf38JzIZ6K}u&z$*tYxbAn0H?D*7RUfRznrGyvkEFYXnfe~J%crnX
zWV+cJFMGHGvS^)6q}3oD0~A{{8Bm+<sm%tU;uD@1&O!Z-Xm72e2U09SEDs81sMSCP
zf<it<lUbLIBP?l`E$K2ONCOBRSrW;RP(eWY&e^mqrPtZrUSE{s*mT$pg(=5n^3_4U
zWok$7@T6)FpD(*2yp836d8tkIK)_qf<+ELL{mEi|rM*&VoYXqGxw$jfP%bsKx3>3|
z8(N?^g(Bi#7pF70LJM@$;tg4uFc4lKeZca(#ja?nO64kCQxCwBtj<eT=epwc79VeB
zvoc%M9_b|G?La4K%4V<=NJE3FA7w0btkrUWMQu8x5x}X*ATYAyGXMbEIwUztEfkO-
zP<1(<6Xe~H#~SkxiGT+pRw&@)gU+Pa3UVUn)B*D?1iaZ;8bY;~@s`5=N}*V3YM(x9
z!IT+uKnd*X=_{983i&d_`oTOPS_5YX^C+Yefl7a>)X~|~*EO}jskOT`-PhCIUvBFH
zJS&|&O-+*ux%wnLaeQXW^nsQc!|CR(T<c)l;`67DtSk2pbA`@mV;2d&;|W7}mYJR4
zI3&k2t+QI^udmKq%~b~zO+CPZHU6lbPN*FjOQeHJOgH;FwM0G1a1jsb&?%%~Fg5$B
z9Z?&Z4Il(~0W(6M)?~&SOG4%Z(<89Sq@2f<^HIS1A(^M06G8vUJ2kuw$|EEmMr~S{
zI!@ZP1vY63WKC?GkMrQyIlr^uwnb=Hlg-s@p@%HaQHIKReV}l_yhkO-@&TmM^SPqy
zvHC*aymDtxdrP&kzTDD2v#p~a@a&yBIAzN8u9m57jn#X47vvhdGL^1kTmPhiRpn{(
zKxqWI8%PbLCdgC@5#vrZ0u<4XIhkoA{IuafqR7UxZS5U}e1VHK`Lgp|+;k>AXr^1$
z_7<<5jT+Peqe2Qyu-13vS0LLU{wS-%(F~hJ3dK5r4PbyMlS=#3J~GSb!FzZYnh6Wr
z@T5^4BJt3#)kc#lVb<gsZ*yZC@UUdDYf@8ZOQoyYKBF<?w3TDQq|ZaT=xn;^h~)!~
z(<XOxPya7Ta!>yoeT%+opWi!kq^V<0FxU1}_sI6r6uz;_rWzud#z3wOPHMd|a6?Gi
z3bWM}$@-h8SyBylu4L!x4gM^VsiYbw)V6{4w$4I*Td`@tnH(gd{bpyYN}Fy9+Y=T=
z)F^{_AT*T%Zd0QbVsZ4;R;%D4V}NzYV5;9PwKH;)9jbGEx_O)tL74=)DMXQk(*^|r
z$o5cd7yK}ZYK1vMkOpCzFb8hLSRuXP&HzJ4%UrCGLcsv$P~t|J0T+Scz(jO=f-d--
zC6+41!(lHKMb_C!B+Axkp=b8!jQ)8&v*vY8pA9}VsXDWF@!F*uF72MRXsqj^PxzK{
zeFqm!QiS_YtqbqVcIC=FpsI!-DY_WoZ_aQ^?_^Y@o8YoQkqMTA`dQ|1qZF=E;ASH2
z_pj+GT{*XXBooMn*h(?OLpkB@keG9FEnf<Rrp4TiZZoiRnEU{hT>``lm@%*}p%@_t
z?gAuCisN+L4Ce1mNsJ^I5mcTDw=Dw|H3_j+m$K?|Fv;vd`Z3hl5O*Qy!ZZbx-#JPP
z@`OU8w%UzJ51DY;BX%uEXn~O1O=6fWrmgyj%iP4d^8vb$Oz?hpfMx(gPdx97*B8od
zGly5s9a-5ofBB65;Yv$a&+wZ5k+pNzTsd~rma&%>KNrY0#!DZjy1s20T~@Ag$r7+n
zCSGJ>Nzxax`r}lp<Vsh-tZY6`Lj^%sMwKB@OgU1j3LJakV8_kNr>$=XG~8vFV&m90
zXHc$B<9LAc`bUDnwvg4Tkwc*cT%%TC)Qks$tq=(f05#l4th0eYGhTkw2|yARq&=>f
z*T&OU01AQ%%)Nuq3DPpmkO4SQgF(CKwUs=2n2XfvO=hDB6bdM_L7jogc@VT>RxQj)
zI8B-;O{RQw&}nN)L|XWi*X2${If^R;^Oee^$=zMk2hQCxuwp~s==%N@8-R1pTD)rh
z=IvvTJ~6iKiX)-Ij$m$?H@@DNfEW{sXZ@iRlyHhf9ux;UnvJ#3$aTzws=+|}7+``>
zLj%DC+5ie(eS+OQv-#46Jp(1U)>Y>HS+|*^^-fbj4l8n;j?N_A6?XgWYQ!$awRe$N
zz7_&2OlHbJhX7s%SsUR3HV=QNvK9taHc#820Ow)S(QVE;QPzfXJLNRMd9Wd5TeLMr
zks-GWDrud~$Wb;>BfM|{V+BEirL{r34we}B9HiG~Z{|GRnP@egFGQn!BHWuO@tGzF
zQtjQ-CUx|7&0jft+4;lkuUz@toBNk<+_dJZ2k+ni`O3>*Z|vEJiGCN&UE&LdxO|vz
zisvf+bjizQ1KD<8sRIhlNTrL4@fI(K#5$V{YHp<x2(lh1R>~i0=eZ!`qFp2d!mCYf
zx2Rz*HtY9vg@aHc1Q|zHf(FsDrtd+5MztxVW~3RS`DwH=s8%&1l@FbPf5=)`9Z!=M
zco%kq4IwBfE!Yrm)n)CvjNb%8C={kS7a}>F-3Sk()a$^bLS`Mzb8!wWEJFZs7*;5R
z^tx=2WzE(?*c-@l-3@#TpIBY&JSWW0O;zTVd*-&z=xpw)bPe_|UEecz`RYq|P8+#k
z-Qsn>Uw`%Qd*?k^tnT6p%cH5XKf0I>05MOO+CU48mO7G6U77Zo-trVMAaABZf_&v-
zfgA!#P^QAvE9iV4pEns#fKKKzfPP1jhN&%Oa0lA%1XAO*TVOQ}6zu{Ds$`J)jHhVS
zz_3qhQ~A(><P8}Np@NS743{q@GYuKO5$IYP*5~j+JMbEiK6#jhfu$Ruc7YNaW}_?x
zj{`zOf+hZw4gl+UiY8Ol$2I6|9=ow6=35%goF6TYhSDoTh0P6<*OWWXFZYa=r}kBP
zdIp#Gj;>#K-Cbpve5jv%U*Gb3x%BOJ|8NBgNpKSI85K-)YZWqN+~^NR6c{#=xzRJ9
zqO-8J3Em@8g3i`ui-q>d?bWI6lO|7UZm$%|`A~!bb?yV&TyWWtR>@d%F&_+D&QFQ8
zU~)>3@?dCTH5X8m5Jkq_WLBl@b+f&maPL}r2FcE)*_Cu~Ss=ZR<u*{<0#ABl2+HwX
zGQYFbzLN@WY$)zKf6e_1XWc!}I~3yvBFRKUSAExDMy#%(FNR7Ad1!4%s}=uy+ll|)
zW&hK!`u}S}Afx>st_kt-p-?u(L0Lctle4Dvm&?`F7heSip76Rjo4slyMm*vA4NW~;
zrp&v%Z}f`lyz_JI6zMb)%%!39wm@QYzI^?HnfuqDvwPvZp{|}Te*n}Svz>soEFi4P
z6?93Zgv^4{4Vo@N>wb`{LA(G?A{0%@@*h2NU4OaKl*@8_A<1!tY$l!IO7(oTTyD&R
zw#9n<w8^G}1w<~&;c$^AhYex`TDqW6f}{$oiKGf8y1)1gWU;k%MHtLX3Pr7zCQsC2
zv*<xJfoKncmXcr<W>#WlVAj?ciZsO|Evax@It^qIq5@3)l*9gdE|TNe#!SkQO1ON{
zFc;>z<nZG2`?~u|AdrOEQKx4Wn_8Hx)M3^08@kpvPg^r>!36+L-_o_Ps3_HDB%L4y
z!JGh3dnY-VRy0Z|ya<#Q{YU%n{P^K(FPmOj+uK<w);AaUFdJ~w6fEp;27^&9!a=>4
z<UFj$O4@xvkBhXKt+0AZ4Qm@gFt1Z-V1^Guwq!NTU8x|NL0hHM*jdu$x3AoK1qc>|
z#TtPXMh>^)|Enwi1J#wBDN>NT!@z5eEKkPkiBv17mF8dy)M3)?lG;4^7{|xM$*@1i
zB?{4CgmCn`1GAj$aykM!<tjF@Cfc|ml3VW$!@iNLUmPp5kqlH6rf|yU?Y4$vR4g0H
zxA^%A5C9OG{7}W#mzVYS`;$nsr$b21C43y=2@r0t)@qmQbt;Ws0<KzHr-bJHq)?Bj
zWU!_WCg>!Bhp%6Kc+V9d{NcuZmkxUzHkdJUd1$YPCK%U9-^GgtE^=F(8a)Z~MWDF>
zkpPkn+N8{20)0RMI;Gwq)}vWO&~bnN`jN+8KYZyeJJ(-*eN$VvC73ftOG+wiVYusA
z-r~>M63w=F5vE*J0Sxn}WJY72vgN(50^@)+vAwJlW_)LO<Fnb)vPf)&FT664SQklc
z;_A<f=9Y)EgWmAsAny+5U>45di-Uv%E3;q`280`k5*E8>X;0U-6@7PX7~FgD@YA=U
ze!chm?JwTG^6G)g!g?-9+G4T#75&#NAG~@&-zGKTR2yI?RcbTz0(yruI;{<gPoPXt
z@Zu&bv=w^m<8QyW=fy)io;Yy*1AEW??KUG<aHJblEDxHioJoKtZHZOPe$-ibt8sF;
z#h&s~sjw&EB~xxPLD6xeX_C=4%i>w=42}}aIi!Cb6<Wb076)=GgQ*J`ZYdoxSt*?(
zU=KueF0bB2gD?->w8XQa`i`N2zFRIlXZP=}diauc7x&Hdq)SvN;|ipV&HyYPV6FPa
zW};iCm%~yuv@0Qa082soJxsI6BoL*cx)vynl*R8gSy?K)bIb5U+m^p{_vUvVz5eh$
z7azQ9-5;)+eZlnll>^&W&A#rO!EH;YZvvGU>58Dx0~8RJ6dE)w0D7#}1S}WCSXc@J
zk|XG`559J2*HbUu`P6fFJ@woLH{CvCXr4Y^ulA*3-dG946s?DGx3YO-q@@0bbn~An
z2%=~I+}^J>QPe+me!<e=VR(mV`GlDZmoAvKWYWxe{r~*D?f=PA8<@JR6H6vY#X@-i
zGM!Q=f|dVbzP0a6+sJzV1ohUN?$1ItYI|a4Ah`IvLpcd~dHY{J{`dYRp<my;d&AlJ
zD>`Nsp1fr=tX+$JGVtvK=O1`|=^y`Ebo}<#jeD+q>WxpoyY0cJ4}bQ3b@s9guDbo9
zXWsn$Sfn(0aQUXIckF%k$QM5-VF576MxxsCAISu9sP+g}RwaTb7_prx_OIWnMo;iW
z+o8V%h?yTRKJW5eyQY6h@ZZS^=m8{Whn{>59^w}5tU_mabl{VJJi@<z0>?ieVeB1D
zjuO05sKnCP7uS{!yhH^b?Kd9VJ`3yQCMwR`{X7iFx>fXVhU(T9Q<)bJ+<xrxp8m7e
zOh|tC-Ia}RPl^3%<S$ch==|xupCo^bj$yu|!zcf=|HJPqlfNCN#V>za$B$umjA6Il
zH5+^38qd*RSD5*`U-$g3Bp4j%Y<%X(-XC9Gu<69~ZJ$Lx-*oxGqoXHoX*uKHJoISY
zNAJt)CVg|RTD}jvdFu7=t$a`M#hWX(l#Z>r;rK<Rn|d}LE4?xI?l<4ed_VPI@19p*
zdw&e8?v8C)TGxH>laDNO@@ucZYxLi)x^7ud`)>R^-7BU?e|%xilWiC5JnP@S{QiY6
z19R3dnxG33r3XKJtE*{t;U3NXTUNb_+XfcQ{$q9Ixm|^AA8FS$2uFU5Z$EL7SsK%^
zZ&x;bcH2{nu4R^MBPHxf`OpjNS0whO1U>7za}P?c>HKiZ+vM$uEqBhyyuV=cz%5TR
zFP-)E4Zk_NczP#2|I)!P-xCZyb9efkg@;bwj7dJdbpo+q$J$$$9_pEJcJq}u^*~$C
zPgk#fVhnqOIX1QX>w6Av$$lD}ZGGH&+dI_*p49Yx`;G|vGiT5X585-OKd(I+y5^Ps
zO{Ql*@7x!?X5;z6OAepuk(|8iIK{s_^x4;&s!K&{-x$Nl7q{Q}$&52abNFuElpV&)
znvXqN+ViFC?mGVF%lL!0f46S!)6Y}Q0~6kS>-Fd-%h&vceg8toqNk^lV+TK<I^(ju
z@+PzFz^}eLYr?)OhyFCdy2CQ-fiHXSdhCYdAAa$3Xzy!x+`T_y^xyvbcLl`5b!(Ro
zEf0-h-@iKZxeM=;{(Sa*h6`>ueBDE{-tF1E;KxtT{6ukb){gJ5OT933?^!#pdgR+L
zE?fHUcRhbT*>g4jnz)}nP2Y98NGe~q=ITd>(wFb~>&nw7wk-JK!Sz34Uk8O>?mb@l
zVXf8ohwJxFcmM6Y;-$hvOLjUAzBJlkFs}V->Su4Hm3Qw<T=tC8`u?lm_Z)xm!mn0v
z$$09k-QAdH$({J&+aCD(<h^_Unz}aK^x{{0-+AZ$555T9h?(x{{_w<~+IMX3eA-?y
zJ-VHLxc@%vM5vB@YR$4Q)(lk#TV8qQ$+I7uaby-hbhmN+@t23TemnHsoqGdkO+5EJ
z=DAhZzP5I2&(v?`51oC__Ep~bd#`;@aQSNuqBYA84ZX4G;{H1>Z&056>$xAl^}g@&
zwGE>S9gm%OXbd|v<%Zc0J%9g$G3@ZmqKAI{%;ej)>01<U9XQ+at1;~MeJe-yjoftU
ztO<|YjgKrl_{_SVy?+g#SbHvg&MnG&Uncjiy84x$p1I|zvkyKzY00i*)o*?GfBoun
zCj#$(`OUItCtPytBp|K-a;D<7q2+<0j-yAvo`3g}z1;%Q19Q&&Y5Tjs{UVroziPg8
z;_0`%KCe&J{pP0nFD5O1;;Ze71%JBVBDiB$@$r9OdtAILusHM13-9(cUv}<?$3<2B
z>=W-Ogbk9DcXa%4@xX|C?`3yI?7I2y9XxdVYligq@x%L8e%|=v(ClX#E_p?gJGuCg
z!z;t#%J24z-+1`TkCx6&?>~Os+M~C8cki9vIp2SCpYla)>reMC`~1Y(BVSUjH+Zd2
zO}fL9-@SA8&xx(SZ}K18^WZ%v8?Srt;-SaC8pDp>)%m{Yyztgrc3gRDK=|byM~{5k
zF+B9nS>~xtYZmT&*ZB0RUEj_7rhk`X{>L{S>CZQaBJ*$9KmF&>gkhWDyuVDb?LKl|
z@P?O{ADf(5@wZHx`t^>+p&NFcbIE92bK8MZ-5)3Z@ck?24n4kW>5kVM=f2%L_{Lk$
zHV}J{&R_QGjSudgIDMyR-4_?m`P;c<ZdZ5ZJO3pg+`Z<wal*5YF8_Af-tR8_TZ8Jp
z-@M*A`p(LSLiA1BcHv6$m_EJ#(FJ4Jk}>SQn^X6^f7t)?wA)7d&q`mnD<50-$fMhT
zy6WU7>H1e+dinmtiMoTo`t``feII^CHGlQSkyZEaHaquUV5E<YVV&>(e#3P??f>$`
z11gL7!NYrB`*C{X(Mf_US6;RL^i>yHUOlw%+vQ*X{Pfz$9qda>2Q}x%t6NWekS-lv
z)p^#R=kNO9+3=IW4_=dwVcebKBdN?B%c5Cxf1Y*V+Dz-u<eQlrKYZp-dfi)p_Vf>r
zU|&zLJbP#ioBryQYmz03V)sscwR!jZTjmh!?^yQDiBC3O`dl9@<!%tXGV#0a?~5PY
zl7C{!j)(Cv?D^q}|9R{5Thyxh(f7Jvx3{0M`pJ0g>4!VE_Rjo6^XJdo(wE=&)mM8$
z2S52%GH2rP;K|Oq1CF!bd+f;PpPn%O^@&3_t{Lk7VlAn#-#N4Wjy>8nU$6P&7*=|F
z467_Te(7T$e6vUO!-ns+2PR%Oh81KF?R)mYi$(jNny`M?72kF5`uPLL6f=pLZ`kqk
zocXC8J94{D#~$8iP{!AuTmJB#Yi>QTXlTp3*Ec{8>SSY`AK!fA!M6@S^+WplJzssf
zC;Z3*OFj(Teo4zUedk|tI<anLa18t6()N!&ZY%xy#HOFi+qd`Mv((tb-gWfjOP-&5
z_dRn)&R%oX5$^FHzJK)feId`RlUEdGJo8D&aop2=oMHN>KAYq5p%wDwpYMD8r}IV^
zKefSn>1R`I^Ikj<_-a%4GQ)dAbMC)P9KYa?ghGAwg5KZ$P$%lGZaIrT{p05ys}3Ar
THd#J>?2QkO9vW&ie)+!u!*(M0

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_853.py b/tests/bugfixes/github/test_issue_853.py
new file mode 100644
index 00000000..d7f62a3c
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_853.py
@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+
+class DenialOfServiceInAdjustTimeOverflow(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/853
+
+    The date parsing code in XMPUtils::ConvertToDate does not
+    check that the month and day are in bounds. This can cause a
+    denial of service in AdjustTimeOverflow because it adjusts
+    out-of-bounds days in a loop that subtracts one month per
+    iteration.
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/853"
+
+    filename = path("$data_path/issue_853_poc.jpg")
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = [
+        """Exiv2 exception in print action for file $filename:
+Not a valid ICC Profile
+"""]
+    retval = [1]