From 8cd95e221889e41e9cc153e2cfb5a7b41c7bc7a4 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Thu, 25 Apr 2019 21:42:54 +0100
Subject: [PATCH] Avoid negative integer overflow when `chunkLength == 0`.

This fixes #789.
---
 src/pngimage.cpp                        |  10 +++++-----
 test/data/issue_789_poc1.png            | Bin 0 -> 26 bytes
 tests/bugfixes/github/test_issue_789.py |  20 ++++++++++++++++++++
 3 files changed, 25 insertions(+), 5 deletions(-)
 create mode 100644 test/data/issue_789_poc1.png
 create mode 100644 tests/bugfixes/github/test_issue_789.py

diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index 4ccec39d..87cf980c 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -462,11 +462,11 @@ namespace Exiv2 {
                 } else if (chunkType == "iCCP") {
                     // The ICC profile name can vary from 1-79 characters.
                     uint32_t iccOffset = 0;
-                    while (iccOffset < 80 && iccOffset < chunkLength) {
-                         if (chunkData.pData_[iccOffset++] ==  0x00) {
-                            break;
-                         }
-                    }
+                    do {
+                      enforce(iccOffset < 80 && iccOffset < chunkLength,
+                              Exiv2::kerCorruptedMetadata);
+                    } while(chunkData.pData_[iccOffset++] != 0x00);
+
                     profileName_ = std::string(reinterpret_cast<char *>(chunkData.pData_), iccOffset-1);
                     ++iccOffset; // +1 = 'compressed' flag
                     enforce(iccOffset <= chunkLength, Exiv2::kerCorruptedMetadata);
diff --git a/test/data/issue_789_poc1.png b/test/data/issue_789_poc1.png
new file mode 100644
index 0000000000000000000000000000000000000000..9d01361b2738ab7f2bfed49d72597d028d45d4f1
GIT binary patch
literal 26
fcmeAS@N?(olHy_jf=p-Ufb7(=^8BjQqErR|Pf!NS

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_789.py b/tests/bugfixes/github/test_issue_789.py
new file mode 100644
index 00000000..70fd9d17
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_789.py
@@ -0,0 +1,20 @@
+import system_tests
+
+
+class SegvInPngImageReadMetadata(
+        metaclass=system_tests.CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/789
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/789"
+
+    filename = system_tests.path(
+        "$data_path/issue_789_poc1.png"
+    )
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = [""]
+    retval = [1]
+
+    compare_stderr = system_tests.check_no_ASAN_UBSAN_errors