exiv2/0002-CVE-2018-19535.patch

From cf3ba049a2792ec2a4a877e343f5dd9654da53dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
Date: Mon, 3 Sep 2018 08:51:08 +0200
Subject: [PATCH] Fix more issues in PngChunk::readRawProfile

---
 src/pngchunk.cpp                    |  36 +++++++++++++-----------
 1 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
index 755872c94..9b3faf1aa 100644
--- a/src/pngchunk.cpp
+++ b/src/pngchunk.cpp
@@ -606,11 +606,6 @@ namespace Exiv2 {
     DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt)
     {
         DataBuf                 info;
-        register long           i;
-        register unsigned char *dp;
-        const char             *sp;
-        unsigned int            nibbles;
-        long                    length;
         unsigned char           unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
                                             0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
                                             0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
@@ -627,8 +622,7 @@ namespace Exiv2 {
             return  info;
         }
 
-
-        sp = (char*)text.pData_+1;
+        const char *sp = (char*)text.pData_+1;
         int pointerPos = 1;
 
         // Look for newline
@@ -638,20 +632,30 @@ namespace Exiv2 {
             pointerPos++;
         }
 
+        // Look for length
+        while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
+        {
+            sp++;
+            pointerPos++;
+        }
+
         if (pointerPos == (text.size_ - 1))
         {
             return DataBuf();
         }
 
-        // Look for length
+        long length = (long) atol(sp);
 
-        while (*sp == '\0' || *sp == ' ' || *sp == '\n')
+        while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
+        {
             sp++;
+            pointerPos++;
+        }
 
-        length = (long) atol(sp);
-
-        while (*sp != ' ' && *sp != '\n')
-            sp++;
+        if (pointerPos == (text.size_ - 1))
+        {
+            return DataBuf();
+        }
 
         // Allocate space
 
@@ -674,10 +678,10 @@ namespace Exiv2 {
 
         // Copy profile, skipping white space and column 1 "=" signs
 
-        dp      = (unsigned char*)info.pData_;
-        nibbles = length * 2;
+        unsigned char *dp = (unsigned char*)info.pData_;
+        unsigned int nibbles = length * 2;
 
-        for (i = 0; i < (long) nibbles; i++)
+        for (long i = 0; i < (long) nibbles; i++)
         {
             while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f')
             {