From bf151a17a3284460b7c69e0c27ba182f0cb1d00a Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Mon, 5 Sep 2022 23:43:35 +0100
Subject: [PATCH] Don't allow zero width/height in WebPImage::inject_VP8X

---
 src/webpimage.cpp                             |   2 ++
 test/data/issue_2270_poc.webp                 | Bin 0 -> 114 bytes
 tests/bugfixes/github/test_issue_2270.py      |  20 ++++++++++++++++++
 .../test_regression_allfiles.py               |   1 +
 4 files changed, 23 insertions(+)
 create mode 100644 test/data/issue_2270_poc.webp
 create mode 100644 tests/bugfixes/github/test_issue_2270.py

diff --git a/src/webpimage.cpp b/src/webpimage.cpp
index ff595c23..861963da 100644
--- a/src/webpimage.cpp
+++ b/src/webpimage.cpp
@@ -752,12 +752,14 @@ void WebPImage::inject_VP8X(BasicIo& iIo, bool has_xmp, bool has_exif, bool has_
   }
 
   /* set width - stored in 24bits*/
+  enforce(width > 0, Exiv2::ErrorCode::kerCorruptedMetadata);
   uint32_t w = width - 1;
   data[4] = w & 0xFF;
   data[5] = (w >> 8) & 0xFF;
   data[6] = (w >> 16) & 0xFF;
 
   /* set height - stored in 24bits */
+  enforce(width > 0, Exiv2::ErrorCode::kerCorruptedMetadata);
   uint32_t h = height - 1;
   data[7] = h & 0xFF;
   data[8] = (h >> 8) & 0xFF;
diff --git a/test/data/issue_2270_poc.webp b/test/data/issue_2270_poc.webp
new file mode 100644
index 0000000000000000000000000000000000000000..6e2c4211c920090d680d6f1ebc778ac65ceb7407
GIT binary patch
literal 114
zcmWIYbaTsMU|<M$bqZhy(xyNx0L1)Y<meONp$z14iYq91IzRZ()e)gEdD}$;|HOZ$
zZ|634{1f)M6mr|pb=hr3hOht&1qGnm0!D_pj9MU5_z(P3UBFbr=)l16@0Qxssy#c!
I4lpnP03oR#)&Kwi

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_2270.py b/tests/bugfixes/github/test_issue_2270.py
new file mode 100644
index 00000000..38c4e269
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_2270.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path
+@CopyTmpFiles("$data_path/issue_2270_poc.webp")
+
+class WebPImage_inject_VP8X_integer_overflow(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/2270
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/2270"
+
+    filename = path("$tmp_path/issue_2270_poc.webp")
+    commands = ["$exiv2 rm $filename"]
+    stdout = [""]
+    stderr = [
+        """$exception_in_erase """ + filename + """:
+$kerCorruptedMetadata
+"""]
+    retval = [1]
diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
index f0736bd8..b1dce5fa 100644
--- a/tests/regression_tests/test_regression_allfiles.py
+++ b/tests/regression_tests/test_regression_allfiles.py
@@ -94,6 +94,7 @@ def get_valid_files(data_dir):
         "issue_2160_poc.jpg",
         "issue_2178_poc.jp2",
         "issue_2268_poc.jp2",
+        "issue_2270_poc.webp",
         "issue_2320_poc.jpg",
         "issue_2339_poc.tiff",
         "issue_ghsa_583f_w9pm_99r2_poc.jp2",