From 8dc87a1214ac479a23fe390acb291a5c3288cbb4 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Wed, 15 May 2019 07:58:38 +0100
Subject: [PATCH] Add bounds check. (#840)

---
 src/preview.cpp                         |   1 +
 test/data/issue_839_poc.rw2             | Bin 0 -> 2029 bytes
 tests/bugfixes/github/test_issue_839.py |  26 ++++++++++++++++++++++++
 3 files changed, 27 insertions(+)
 create mode 100644 test/data/issue_839_poc.rw2
 create mode 100644 tests/bugfixes/github/test_issue_839.py

diff --git a/src/preview.cpp b/src/preview.cpp
index f2242805..ed45566c 100644
--- a/src/preview.cpp
+++ b/src/preview.cpp
@@ -806,6 +806,7 @@ namespace {
                 }
                 else {
                     // FIXME: the buffer is probably copied twice, it should be optimized
+                    enforce(size_ <= static_cast<uint32_t>(io.size()), kerCorruptedMetadata);
                     DataBuf buf(size_);
                     uint32_t idxBuf = 0;
                     for (int i = 0; i < sizes.count(); i++) {
diff --git a/test/data/issue_839_poc.rw2 b/test/data/issue_839_poc.rw2
new file mode 100644
index 0000000000000000000000000000000000000000..1f6758c1a8f16f766d1cc3a761c3e1c5c8fcb8db
GIT binary patch
literal 2029
zcmd^8F%H5o5W8yuwJ@NHffpb#hJ}HN5gx#Q82KuHs3>-tCRfyfr4pi%Djef;e9`54
zy-6V=8(C{E3goaf;KFfRM&21srE2)OxKO)$Bz+EjNuJ+RC9@iA{CUAM!%^1rsC`d*
z)U1b|K1_Ph4k2b!wEhhnNVOMeSlcb<H%^**yXZKH$x!>v^0(yNjK2Y=vKMUGnR<$d
zS>tMHqyQ6e{BH=TEglkpvywi>@i^u)gVk8eLH;AZ)sKkNG*((jg%Ipwt4ojXz!fGT
z^}dSP_hF*iaLdS#81@&e{hWyDy?e!Nxc;l;UH(Go(K4JybDn~+e^_kP4vEJcoJ`J^
KpTdRwMUQVu8%vS^

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_839.py b/tests/bugfixes/github/test_issue_839.py
new file mode 100644
index 00000000..18476dd6
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_839.py
@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path, check_no_ASAN_UBSAN_errors
+
+
+class OutOfMemoryInLoaderTiffGetData(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/839
+
+    Due to a missing bounds check, this test triggers a 4GB memory
+    allocation. So the test will fail with a std::bad_alloc exception
+    if less than 4GB is available.  On Linux, you can use `ulimit -v
+    4000000` to reduce the available memory to slightly less than 4GB.
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/839"
+
+    filename = path("$data_path/issue_839_poc.rw2")
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = [
+        """$exiv2_exception_message $filename:
+$kerCorruptedMetadata
+"""]
+    compare_stderr = check_no_ASAN_UBSAN_errors
+    retval = [1]