This commit fixes the heap-buffer-overflow in PngChunk::parseTXTChunk.
According to the specification:
http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html
There must be 2 null separators when we start to analyze the language tag.
- cdataBuf must be at least 8 bytes long otherwise decodeIHDRChunk
reads out of bounds
- pngImage::readMetadata now skips png chunks where the offset for
IHDR chunks is invalid
- added assertion into PngChunk::decodeIHDRChunk() to ensure dataBuf
size
- consider that key is advanced by 8 bytes if stripHeader is true
=> length is reduced by same amount
Fixed by adding offset to the check in the loop
- Rewrote loop so that keysize is checked before the next
iteration (preventing an out of bounds read)
Luis Diaz Mas
Dan Čermák