From f5b40f3e82da9b3968f23534a453ddcc80a9a0fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
Date: Mon, 3 Sep 2018 08:51:08 +0200
Subject: [PATCH] Fix more issues in PngChunk::readRawProfile

---
 src/pngchunk_int.cpp                    |  36 +++++++++++++-----------
 test/data/issue_428_poc3.png            | Bin 0 -> 512 bytes
 test/data/issue_428_poc4.png            | Bin 0 -> 188 bytes
 tests/bugfixes/github/test_issue_428.py |   8 ++++--
 4 files changed, 25 insertions(+), 19 deletions(-)
 create mode 100644 test/data/issue_428_poc3.png
 create mode 100644 test/data/issue_428_poc4.png

diff --git a/src/pngchunk_int.cpp b/src/pngchunk_int.cpp
index 755872c9..9b3faf1a 100644
--- a/src/pngchunk_int.cpp
+++ b/src/pngchunk_int.cpp
@@ -606,11 +606,6 @@ namespace Exiv2 {
     DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt)
     {
         DataBuf                 info;
-        register long           i;
-        register unsigned char *dp;
-        const char             *sp;
-        unsigned int            nibbles;
-        long                    length;
         unsigned char           unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
                                             0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
                                             0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
@@ -627,8 +622,7 @@ namespace Exiv2 {
             return  info;
         }
 
-
-        sp = (char*)text.pData_+1;
+        const char *sp = (char*)text.pData_+1;
         int pointerPos = 1;
 
         // Look for newline
@@ -638,20 +632,30 @@ namespace Exiv2 {
             pointerPos++;
         }
 
+        // Look for length
+        while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
+        {
+            sp++;
+            pointerPos++;
+        }
+
         if (pointerPos == (text.size_ - 1))
         {
             return DataBuf();
         }
 
-        // Look for length
+        long length = (long) atol(sp);
 
-        while (*sp == '\0' || *sp == ' ' || *sp == '\n')
+        while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
+        {
             sp++;
+            pointerPos++;
+        }
 
-        length = (long) atol(sp);
-
-        while (*sp != ' ' && *sp != '\n')
-            sp++;
+        if (pointerPos == (text.size_ - 1))
+        {
+            return DataBuf();
+        }
 
         // Allocate space
 
@@ -674,10 +678,10 @@ namespace Exiv2 {
 
         // Copy profile, skipping white space and column 1 "=" signs
 
-        dp      = (unsigned char*)info.pData_;
-        nibbles = length * 2;
+        unsigned char *dp = (unsigned char*)info.pData_;
+        unsigned int nibbles = length * 2;
 
-        for (i = 0; i < (long) nibbles; i++)
+        for (long i = 0; i < (long) nibbles; i++)
         {
             while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f')
             {
diff --git a/test/data/issue_428_poc3.png b/test/data/issue_428_poc3.png
new file mode 100644
index 0000000000000000000000000000000000000000..ae6fa0a721b00b113e0f8f39550bfa98b5a798e5
GIT binary patch
literal 512
zcmeAS@N?(olHy`uVBq!ia0vp^x<D+$!3HG1+L%oOQtg=`5hX#1<q8Ew`DvLssR|{P
z1*r<D6`5)O|Nn0Y?Yqr+*nx-Tf2gb1h1Xv+)MIiy*fs5i(u*tXmZS<cKLDD*0mN*K
z%nXb`nhA&*7~Fx_fl-}7f`Q>Ry9`kFKLcEr3#t;N`U4{e!#kigAT|ht2)I5V7iKC*
z4rt3WK}J!al9xanD4(Mbv}+~<Lkmz+oRJHxAEZv4kwX$hGyMO^Ajl{T76-YIp#fqK
z55wF4F!d03a(x7;M>Yp44%Q12$LeN&oNg8XnFqo^dwC&l2JtCzGs2HVxcOx>&~j-;
GRt5n77D`<J

literal 0
HcmV?d00001

diff --git a/test/data/issue_428_poc4.png b/test/data/issue_428_poc4.png
new file mode 100644
index 0000000000000000000000000000000000000000..03d689c5ee400758923779d75724ad6ae2d9827a
GIT binary patch
literal 188
zcmeAS@N?(olHy`uVBqy+U<?A%x<D+$!3HG1+L%oOQn{HS5hX#1<q8Ew`DvLssR|{P
z1*r<D6`5&3Nk%B<U|@JA$S4Zs2g>K@GchpCWMF6kDiCMnf~yl}<d6jEVfg=%L6A`x
iEDqGmz|ipjKS-R1;q8BzdSt!sKsg7fIUsRqMpgh^B^tc|

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_428.py b/tests/bugfixes/github/test_issue_428.py
index 82162520..e161a527 100644
--- a/tests/bugfixes/github/test_issue_428.py
+++ b/tests/bugfixes/github/test_issue_428.py
@@ -9,15 +9,17 @@ class PngReadRawProfile(metaclass=system_tests.CaseMeta):
 
     filenames = [
         system_tests.path("$data_path/issue_428_poc1.png"),
-        system_tests.path("$data_path/issue_428_poc2.png")
+        system_tests.path("$data_path/issue_428_poc2.png"),
+        system_tests.path("$data_path/issue_428_poc3.png"),
+        system_tests.path("$data_path/issue_428_poc4.png"),
     ]
 
     commands = ["$exiv2 " + fname for fname in filenames]
-    stdout = [""] * 2
+    stdout = [""] * len(filenames)
     stderr = [
         """$exiv2_exception_message """ + fname + """:
 $kerFailedToReadImageData
 """
         for fname in filenames
     ]
-    retval = [1] * 2
+    retval = [1] * len(filenames)