From cb2467834d118ae11526f7d24a699799ce5c4912 Mon Sep 17 00:00:00 2001
From: Jens Georg <mail@jensge.org>
Date: Sun, 6 Oct 2019 15:05:20 +0200
Subject: [PATCH 1/2] crwimage: Check offset and size against total size

Corrupted or specially crafted CRW images might exceed the overall
buffersize.

Fixes #1019

(cherry picked from commit 683451567284005cd24e1ccb0a76ca401000968b)
---
 src/crwimage.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/crwimage.cpp b/src/crwimage.cpp
index 989c0eb8..a0978aaf 100644
--- a/src/crwimage.cpp
+++ b/src/crwimage.cpp
@@ -448,6 +448,9 @@ namespace Exiv2 {
 #ifdef DEBUG
         std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
 #endif
+        if (this->offset() + this->size() > size)
+            throw Error(26);
+
         readDirectory(pData + offset(), this->size(), byteOrder);
 #ifdef DEBUG
         std::cout << "<---- 0x" << std::hex << tag() << "\n";
-- 
2.24.1