From 36df4bc997d74ecc447e4541e2fc3fda10586103 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 10 Nov 2017 15:12:55 +0100
Subject: [PATCH 1/3] Fixed potential out of bounds file access

This commit adds a out-of-bounds protection in the case that the
extracted values for offset & count are summed up larger than the size
of the file. Also this function checks for overflows before performing
the addition.

This fixes #159
---
 src/image.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/image.cpp b/src/image.cpp
index 338720fc..818af4e7 100644
--- a/src/image.cpp
+++ b/src/image.cpp
@@ -73,6 +73,7 @@ EXIV2_RCSID("@(#) $Id$")
 #include <cstring>
 #include <cassert>
 #include <iostream>
+#include <limits>
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -459,6 +460,12 @@ namespace Exiv2 {
                             io.seek(restore,BasicIo::beg);
                         }
                     } else if ( option == kpsRecursive && tag == 0x83bb /* IPTCNAA */ ) {
+                        if (offset > std::numeric_limits<uint32_t>::max() - count) {
+                            throw Error(59);
+                        }
+                        if (static_cast<size_t>(offset + count) > io.size()) {
+                            throw Error(58);
+                        }
                         size_t   restore = io.tell();  // save
                         io.seek(offset,BasicIo::beg);  // position
                         byte* bytes=new byte[count] ;  // allocate memory

From 691fca42592662863e8bbf67377309cb26f06a5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 10 Nov 2017 15:18:31 +0100
Subject: [PATCH 2/3] Added reproducer for 159 to the test suite

---
 test/bugfixes-test.sh    |   7 +++++++
 test/data/printStructure | Bin 0 -> 12357 bytes
 2 files changed, 7 insertions(+)
 create mode 100644 test/data/printStructure

diff --git a/test/bugfixes-test.sh b/test/bugfixes-test.sh
index 71e3973e..ed47c985 100755
--- a/test/bugfixes-test.sh
+++ b/test/bugfixes-test.sh
@@ -793,6 +793,13 @@ source ./functions.source
     copyTestFile                      $filename
     runTest exiv2                     $filename
 
+    num=g159
+    printf "$num " >&3
+    filename=printStructure
+    echo '------>' Bug $filename '<-------' >&2
+    copyTestFile                      $filename
+    runTest exiv2                     $filename
+
 ) 3>&1 > $results 2>&1
 
 printf "\n"
diff --git a/test/data/printStructure b/test/data/printStructure
new file mode 100644
index 0000000000000000000000000000000000000000..daebe7a42daf71f7941eb52ba8ce9bba2039c6d1
GIT binary patch
literal 12357
zcmeIuyA6Oa3<W^*6U;)DHJFRBSdIvUa6^HpkS>Mwir8^(S>~7`qC_cutu-B|`;gl@
z<C>H6+xhwakoL*>Y0vy_&STo`skcdY?%r+ftIqYWQ%NO2fB*pk1PBlyK!5-N0t5&U
oAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0zVSi0rUL#TL1t6

literal 0
HcmV?d00001


From 7bae890ebf31725cae486986e2fa18dff3e19897 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 10 Nov 2017 15:18:47 +0100
Subject: [PATCH 3/3] Updated bugfixes-test.out

---
 test/data/bugfixes-test.out | Bin 1936382 -> 1936500 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/test/data/bugfixes-test.out b/test/data/bugfixes-test.out
index e11674e29d8332fb8eda0df49c1330a3f906a667..c770a3fe0eeb50833c9adcd27add6162363abb95 100644
GIT binary patch
delta 112
zcmex2z3j`3vW6DM7N!>F7M2#)7Pc1l7LFFq7OocV7M>Q~7QPn#7J(MQ7NHj57LgXw
z7O@ub7Ks+g7O58L7MU%w|GKB^cggbb6%=LWl?0a*l_r;z7Nt&a+|Fo>E~eKhD-8g;
Cekce4

delta 67
zcmV~$OBO-^006*8rO2m}^1Y_D#q1n_gE*SCXJ%i=V;Lub(8bkF<nAGscuHk*g_pOF
Q(pTl@uhwXF`fWJo6D!9S?f?J)