crwimage: Check offset and size against total size

Corrupted or specially crafted CRW images might exceed the overall buffersize. Fixes Exiv2#1019
1div0 · Jun 7, 2020 · af86dba · af86dba
1 parent 8bd17c6
commit af86dba
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
@@ -270,6 +270,9 @@ namespace Exiv2 {
 #ifdef EXIV2_DEBUG_MESSAGES
         std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
 #endif
+        if (this->offset() + this->size() > size)
+            throw Error(kerOffsetOutOfRange);
+
         readDirectory(pData + offset(), this->size(), byteOrder);
 #ifdef EXIV2_DEBUG_MESSAGES
         std::cout << "<---- 0x" << std::hex << tag() << "\n";