Avoid negative integer overflow when `chunkLength == 0`.

This fixes #789.

src/pngimage.cpp

@@ -462,11 +462,11 @@ namespace Exiv2 {
                 } else if (chunkType == "iCCP") {
                     // The ICC profile name can vary from 1-79 characters.
                     uint32_t iccOffset = 0;
-                    while (iccOffset < 80 && iccOffset < chunkLength) {
+                    do {
-                         if (chunkData.pData_[iccOffset++] ==  0x00) {
+                      enforce(iccOffset < 80 && iccOffset < chunkLength,
-                            break;
+                              Exiv2::kerCorruptedMetadata);
-                         }
+                    } while(chunkData.pData_[iccOffset++] != 0x00);
-                    }
+
                     profileName_ = std::string(reinterpret_cast<char *>(chunkData.pData_), iccOffset-1);
                     ++iccOffset; // +1 = 'compressed' flag
                     enforce(iccOffset <= chunkLength, Exiv2::kerCorruptedMetadata);

tests/bugfixes/github/test_issue_789.py

@@ -0,0 +1,20 @@
+import system_tests
+
+
+class SegvInPngImageReadMetadata(
+        metaclass=system_tests.CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/789
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/789"
+
+    filename = system_tests.path(
+        "$data_path/issue_789_poc1.png"
+    )
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = [""]
+    retval = [1]
+
+    compare_stderr = system_tests.check_no_ASAN_UBSAN_errors