Merge pull request #2194 from Exiv2/027_fix2179

[027] Fix integer overflow #2179
Exiv2 · Apr 6, 2022 · 036af47 · 036af47
2 parents 3409ddd + e54f5c9
commit 036af47
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/jpgimage.cpp b/src/jpgimage.cpp
@@ -288,14 +288,18 @@ namespace Exiv2 {
         // Write existing stuff after record,
         // skip the current and all remaining IPTC blocks
         long pos = sizeFront;
-        while (0 == Photoshop::locateIptcIrb(pPsData + pos, sizePsData - pos,
+        long nextSizeData = Safe::add<long>(sizePsData, -pos);
+        enforce(nextSizeData >= 0, kerCorruptedMetadata);
+        while (0 == Photoshop::locateIptcIrb(pPsData + pos, nextSizeData,
                                              &record, &sizeHdr, &sizeIptc)) {
             const long newPos = static_cast<long>(record - pPsData);
             // Copy data up to the IPTC IRB
             if (newPos > pos) {
                 append(psBlob, pPsData + pos, newPos - pos);
             }
             // Skip the IPTC IRB
+            nextSizeData = Safe::add<long>(sizePsData, -pos);
+            enforce(nextSizeData >= 0, kerCorruptedMetadata);
             pos = newPos + sizeHdr + sizeIptc + (sizeIptc & 1);
         }
         if (pos < sizePsData) {