Fix more issues in PngChunk::readRawProfile

7 years ago · f5b40f3e82
parent 847da051c0
commit f5b40f3e82
4 changed files with 25 additions and 19 deletions
--- a/src/pngchunk_int.cpp
+++ b/src/pngchunk_int.cpp
@ -606,11 +606,6 @@ namespace Exiv2 {
    DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt)
    {
        DataBuf                 info;
-        register long           i;
-        register unsigned char *dp;
-        const char             *sp;
-        unsigned int            nibbles;
-        long                    length;
        unsigned char           unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
                                            0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
                                            0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
@ -627,8 +622,7 @@ namespace Exiv2 {
            return  info;
        }

-
-        sp = (char*)text.pData_+1;
+        const char *sp = (char*)text.pData_+1;
        int pointerPos = 1;

        // Look for newline
@ -638,20 +632,30 @@ namespace Exiv2 {
            pointerPos++;
        }

+        // Look for length
+        while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
+        {
+            sp++;
+            pointerPos++;
+        }
+
        if (pointerPos == (text.size_ - 1))
        {
            return DataBuf();
        }

-        // Look for length
+        long length = (long) atol(sp);

-        while (*sp == '\0' || *sp == ' ' || *sp == '\n')
+        while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
+        {
            sp++;
+            pointerPos++;
+        }

-        length = (long) atol(sp);
-
-        while (*sp != ' ' && *sp != '\n')
-            sp++;
+        if (pointerPos == (text.size_ - 1))
+        {
+            return DataBuf();
+        }

        // Allocate space

@ -674,10 +678,10 @@ namespace Exiv2 {

        // Copy profile, skipping white space and column 1 "=" signs

-        dp      = (unsigned char*)info.pData_;
-        nibbles = length * 2;
+        unsigned char *dp = (unsigned char*)info.pData_;
+        unsigned int nibbles = length * 2;

-        for (i = 0; i < (long) nibbles; i++)
+        for (long i = 0; i < (long) nibbles; i++)
        {
            while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f')
            {
--- a/test/data/issue_428_poc3.png
+++ b/test/data/issue_428_poc3.png
--- a/test/data/issue_428_poc4.png
+++ b/test/data/issue_428_poc4.png
--- a/tests/bugfixes/github/test_issue_428.py
+++ b/tests/bugfixes/github/test_issue_428.py
@ -9,15 +9,17 @@ class PngReadRawProfile(metaclass=system_tests.CaseMeta):

    filenames = [
        system_tests.path("$data_path/issue_428_poc1.png"),
-        system_tests.path("$data_path/issue_428_poc2.png")
+        system_tests.path("$data_path/issue_428_poc2.png"),
+        system_tests.path("$data_path/issue_428_poc3.png"),
+        system_tests.path("$data_path/issue_428_poc4.png"),
    ]

    commands = ["$exiv2 " + fname for fname in filenames]
-    stdout = [""] * 2
+    stdout = [""] * len(filenames)
    stderr = [
        """$exiv2_exception_message """ + fname + """:
 $kerFailedToReadImageData
 """
        for fname in filenames
    ]
-    retval = [1] * 2
+    retval = [1] * len(filenames)