Remove call to atol, which might read off the end of the buffer. (#870)

src/pngchunk_int.cpp

@@ -653,9 +653,17 @@ namespace Exiv2 {
             }
         }
 
-        const char* startOfLength = sp;
+        // Parse the length.
+        long length = 0;
         while ('0' <= *sp && *sp <= '9')
         {
+            // Compute the new length using unsigned long, so that we can
+            // check for overflow.
+            const unsigned long newlength = (10 * static_cast<unsigned long>(length)) + (*sp - '0');
+            if (newlength > static_cast<unsigned long>(std::numeric_limits<long>::max())) {
+                return DataBuf(); // Integer overflow.
+            }
+            length = static_cast<long>(newlength);
             sp++;
             if (sp == eot )
             {
@@ -667,8 +675,7 @@ namespace Exiv2 {
             return DataBuf();
         }
 
-        long length = (long) atol(startOfLength);
-        enforce(0 <= length && length <= (eot - sp)/2, Exiv2::kerCorruptedMetadata);
+        enforce(length <= (eot - sp)/2, Exiv2::kerCorruptedMetadata);
 
         // Allocate space
         if (length == 0)

tests/bugfixes/github/test_issue_845.py

@@ -18,6 +18,6 @@ class LargeAllocationInPngChunk(metaclass=CaseMeta):
     stdout = [""]
     stderr = [
         """$exiv2_exception_message $filename:
-$kerCorruptedMetadata
+Failed to read image data
 """]
     retval = [1]

tests/bugfixes/github/test_issue_869.py

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+
+class OutOfBoundsReadInIptcParserDecode(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/869
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/869"
+
+    filename = path("$data_path/issue_869_poc.png")
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = [
+        """Exiv2 exception in print action for file $filename:
+Failed to read image data
+"""
+]
+    retval = [1]