From d16ca65b01188d28afbe5a52b1495ac0270dd95a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
Date: Thu, 31 Mar 2022 18:44:32 +0200
Subject: [PATCH 1/2] Fix out of bounds read in isValidBoxFileType()

---
 src/jp2image_int.cpp            | 2 +-
 unitTests/test_jp2image_int.cpp | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/jp2image_int.cpp b/src/jp2image_int.cpp
index 9d67bc6c..c4a35638 100644
--- a/src/jp2image_int.cpp
+++ b/src/jp2image_int.cpp
@@ -11,7 +11,7 @@ namespace Exiv2::Internal {
 
 bool isValidBoxFileType(const std::vector<uint8_t>& boxData) {
   // BR & MinV are obligatory (4 + 4 bytes). Afterwards we have N compatibility lists (of size 4)
-  if ((boxData.size() - 8u) % 4u != 0) {
+  if (boxData.size() < 8 || ((boxData.size() - 8u) % 4u) != 0) {
     return false;
   }
 
diff --git a/unitTests/test_jp2image_int.cpp b/unitTests/test_jp2image_int.cpp
index 6af2bb2a..cd83c19b 100644
--- a/unitTests/test_jp2image_int.cpp
+++ b/unitTests/test_jp2image_int.cpp
@@ -58,6 +58,11 @@ TEST(Jp2_FileTypeBox, withInvalidBoxDataSizeIsInvalid) {
   ASSERT_FALSE(isValidBoxFileType(boxData));
 }
 
+TEST(Jp2_FileTypeBox, withSmallBoxDataSizeIsInvalid) {
+  std::vector<std::uint8_t> boxData(7);  // Minimum size is 8
+  ASSERT_FALSE(isValidBoxFileType(boxData));
+}
+
 TEST(Jp2_FileTypeBox, with2CLs_lastOneWithBrandValue_isValid) {
   std::vector<std::uint8_t> boxData(16);
   // The first 4 bytes correspond to the BR (Brand). It must have the value 'jp2\040'

From 74622cf494d00ba77b3bfdacd4be46c00b80b914 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Thu, 31 Mar 2022 22:39:49 +0100
Subject: [PATCH 2/2] Add poc for fuzzing coverage.

---
 test/data/issue_2178_poc.jp2                       | Bin 0 -> 80 bytes
 tests/regression_tests/test_regression_allfiles.py |   1 +
 2 files changed, 1 insertion(+)
 create mode 100644 test/data/issue_2178_poc.jp2

diff --git a/test/data/issue_2178_poc.jp2 b/test/data/issue_2178_poc.jp2
new file mode 100644
index 0000000000000000000000000000000000000000..364deecd659427257ae439a05d545d9888850ac7
GIT binary patch
literal 80
gcmZQzVBpCLP*C9IYUg4AveQZ`3lxY0|FJ0p0OM{8-2eap

literal 0
HcmV?d00001

diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
index b47f876e..1e593caf 100644
--- a/tests/regression_tests/test_regression_allfiles.py
+++ b/tests/regression_tests/test_regression_allfiles.py
@@ -89,6 +89,7 @@ def get_valid_files(data_dir):
         "issue_869_poc.png",
         "issue_960.poc.webp",
         "issue_2160_poc.jpg",
+        "issue_2178_poc.jp2",
         "issue_ghsa_583f_w9pm_99r2_poc.jp2",
         "issue_ghsa_7569_phvm_vwc2_poc.jp2",
         "issue_ghsa_mxw9_qx4c_6m8v_poc.jp2",