Remove buffer overread in tExtToDataBuf

The pointer p is advanced in the while loop to step over three '\n'. However, its length is never reduced accordingly. => the length check in the following for loop is invalid, as it permits overreading by the number of characters that p was advanced by.
7 years ago · 8d5a3c7dd9
parent 67dc3e691f
commit 8d5a3c7dd9
1 changed files with 12 additions and 3 deletions
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@ -155,12 +155,21 @@ namespace Exiv2 {
        }

        // calculate length and allocate result;
+        // count: number of \n in the header
        long        count=0;
+        // p points to the current position in the array bytes
        const byte* p = bytes ;
-        // header is \nsomething\n number\n hex
-        while ( count < 3 )
-            if ( *p++ == '\n' )
+
+        // header is '\nsomething\n number\n hex'
+        // => increment p until it points to the byte after the last \n
+        //    p must stay within bounds of the bytes array!
+        while ((count < 3) && (p - bytes < length)) {
+            // length is later used for range checks of p => decrement it for each increment of p
+            --length;
+            if ( *p++ == '\n' ) {
                count++;
+            }
+        }
        for ( long i = 0 ; i < length ; i++ )
            if ( value[p[i]] )
                ++count;