From c0ecc2ae36f34462be98623deb85ba1747ae2175 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Mon, 13 May 2019 16:56:29 +0100
Subject: [PATCH] Avoid integer overflow.

---
 src/crwimage.cpp                    |   4 ++--
 tests/bugfixes/github/test_issue_843.py |  22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 tests/bugfixes/github/test_issue_843.py

diff --git a/src/crwimage.cpp b/src/crwimage.cpp
index c2fd5f3a5..4080c0787 100644
--- a/src/crwimage.cpp
+++ b/src/crwimage.cpp
@@ -281,7 +281,7 @@ namespace Exiv2 {
         if (size < 4)
             throw Error(33);
         uint32_t o = getULong(pData + size - 4, byteOrder);
-        if ( o+2 > size )
+        if ( o > size-2 )
             throw Error(33);
         uint16_t count = getUShort(pData + o, byteOrder);
 #ifdef DEBUG
@@ -289,7 +289,7 @@ namespace Exiv2 {
                   <<", " << count << " entries \n";
 #endif
         o += 2;
-        if ( (o + (count * 10)) > size )
+        if ( static_cast<uint32_t>(count) * 10 > size-o )
             throw Error(33);
 
         for (uint16_t i = 0; i < count; ++i) {
diff --git a/tests/bugfixes/github/test_issue_843.py b/tests/bugfixes/github/test_issue_843.py
new file mode 100644
index 000000000..2df9c1cf8
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_843.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+
+class IntegerOverflowInCiffDirectoryReadDirectory(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/843
+
+    An integer overflow causes an out-of-bounds read.
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/843"
+
+    filename = path("$data_path/issue_843_poc.crw")
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = [
+        """$exiv2_exception_message $filename:
+$kerCorruptedMetadata
+"""]
+    retval = [1]