From 1fc5ef40b15735e1b02ec752ec535c19831aafa6 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Thu, 25 Apr 2019 21:31:50 +0100
Subject: [PATCH] Avoid negative integer overflow when `iccOffset >
 chunkLength`.

This fixes #790.

(cherry picked from commit 6fa2e31206127bd8bcac0269311f3775a8d6ea21)
---
 src/pngimage.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index 49c8336..435dd3b 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -40,6 +40,7 @@ EXIV2_RCSID("@(#) $Id$")
 #include "image_int.hpp"
 #include "basicio.hpp"
 #include "error.hpp"
+#include "enforce.hpp"
 #include "futils.hpp"
 #include "types.hpp"
 
@@ -480,6 +481,7 @@ namespace Exiv2 {
                     }
 
                     ++iccOffset; // +1 = 'compressed' flag
+                    enforce(iccOffset <= dataOffset, Exiv2::kerCorruptedMetadata);
 
                     zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
 #ifdef DEBUG
-- 
1.8.3.1