From 3ec4460c7e07f11245be7e4fdf6f196021ee45ae Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 4 Aug 2021 14:45:15 +0100
Subject: [PATCH 1/2] Regression test for
 https://github.com/Exiv2/exiv2/issues/1841

---
 test/data/issue_1841_poc.webp            | Bin 0 -> 52 bytes
 tests/bugfixes/github/test_issue_1841.py |  18 ++++++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 test/data/issue_1841_poc.webp
 create mode 100644 tests/bugfixes/github/test_issue_1841.py

diff --git a/test/data/issue_1841_poc.webp b/test/data/issue_1841_poc.webp
new file mode 100644
index 0000000000000000000000000000000000000000..1ea6e538dab306343a4fedd2ca40c6f57e2c0d09
GIT binary patch
literal 52
ucmWIYbaT^TU|<M$bqa8;$V}q^vi~#we+Z;h6@dg4K%|WfcZwZgU;qFt5epdr

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_1841.py b/tests/bugfixes/github/test_issue_1841.py
new file mode 100644
index 00000000..64640ebf
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_1841.py
@@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+class MemoryLeakWebPImageDecodeChunks(metaclass=CaseMeta):
+    """
+    Test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/1841
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/1841"
+
+    filename = path("$data_path/issue_1841_poc.webp")
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = ["""$exiv2_exception_message $filename:
+This does not look like a TIFF image
+"""]
+    retval = [1]

From 5bc444ff007ce004170402029a0e57e28a9361d9 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 4 Aug 2021 15:04:58 +0100
Subject: [PATCH 2/2] Use DataBuf rather than raw malloc.

---
 src/webpimage.cpp | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/src/webpimage.cpp b/src/webpimage.cpp
index b880d57f..11311e01 100644
--- a/src/webpimage.cpp
+++ b/src/webpimage.cpp
@@ -546,7 +546,7 @@ namespace Exiv2 {
             const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian);
 
             // Check that `size_u32` is safe to cast to `long`.
-            enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()),
+            enforce(static_cast<uint64_t>(size_u32) <= static_cast<unsigned long>(std::numeric_limits<long>::max()),
                     Exiv2::kerCorruptedMetadata);
             const long size = static_cast<long>(size_u32);
 
@@ -671,27 +671,27 @@ namespace Exiv2 {
                     offset += 12;
                 }
 
-                const long sizePayload = payload.size_ + offset;
-                byte* rawExifData = new byte[sizePayload];
+                const long sizePayload = Safe::add(payload.size_, offset);
+                DataBuf rawExifData(sizePayload);
 
                 if (s_header) {
                     us2Data(size_buff2, static_cast<uint16_t>(sizePayload - 6), bigEndian);
-                    memcpy(rawExifData, reinterpret_cast<char*>(&exifLongHeader), 4);
-                    memcpy(rawExifData + 4, reinterpret_cast<char*>(&size_buff2), 2);
+                    memcpy(rawExifData.pData_, reinterpret_cast<char*>(&exifLongHeader), 4);
+                    memcpy(rawExifData.pData_ + 4, reinterpret_cast<char*>(&size_buff2), 2);
                 }
 
                 if (be_header || le_header) {
                     us2Data(size_buff2, static_cast<uint16_t>(sizePayload - 6), bigEndian);
-                    memcpy(rawExifData, reinterpret_cast<char*>(&exifLongHeader), 4);
-                    memcpy(rawExifData + 4, reinterpret_cast<char*>(&size_buff2), 2);
-                    memcpy(rawExifData + 6, reinterpret_cast<char*>(&exifShortHeader), 6);
+                    memcpy(rawExifData.pData_, reinterpret_cast<char*>(&exifLongHeader), 4);
+                    memcpy(rawExifData.pData_ + 4, reinterpret_cast<char*>(&size_buff2), 2);
+                    memcpy(rawExifData.pData_ + 6, reinterpret_cast<char*>(&exifShortHeader), 6);
                 }
 
-                memcpy(rawExifData + offset, payload.pData_, payload.size_);
+                memcpy(rawExifData.pData_ + offset, payload.pData_, payload.size_);
 
 #ifdef EXIV2_DEBUG_MESSAGES
                 std::cout << "Display Hex Dump [size:" << static_cast<unsigned long>(sizePayload) << "]" << std::endl;
-                std::cout << Internal::binaryToHex(rawExifData, sizePayload);
+                std::cout << Internal::binaryToHex(rawExifData.pData_, sizePayload);
 #endif
 
                 if (pos != -1) {
@@ -708,8 +708,6 @@ namespace Exiv2 {
 #endif
                     exifData_.clear();
                 }
-
-                delete [] rawExifData;
             } else if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_XMP)) {
                 readOrThrow(*io_, payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
                 xmpPacket_.assign(reinterpret_cast<char*>(payload.pData_), payload.size_);