From 38a7733b0b5c0d3753858479c0f9ba646976808c Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Sat, 31 Jul 2021 14:38:41 +0100
Subject: [PATCH 1/3] Regression test for
 https://github.com/Exiv2/exiv2/issues/1817

---
 test/data/issue_1817_poc.png             | Bin 0 -> 41 bytes
 tests/bugfixes/github/test_issue_1817.py |  23 +++++++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 test/data/issue_1817_poc.png
 create mode 100644 tests/bugfixes/github/test_issue_1817.py

diff --git a/test/data/issue_1817_poc.png b/test/data/issue_1817_poc.png
new file mode 100644
index 0000000000000000000000000000000000000000..5b43d50a7e6e389bee2fa27a4325df5a9a40527b
GIT binary patch
literal 41
icmeAS@N?(olHy_jg477lG!P924Nw|LdAj<!FaQ8_L<F_~

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_1817.py b/tests/bugfixes/github/test_issue_1817.py
new file mode 100644
index 0000000000..83761874b8
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_1817.py
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+class MemoryLeakInPngImagePrintStructure(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/1817
+
+    Note: the test only fails in an ASAN build.
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/1817"
+
+    filename = path("$data_path/issue_1817_poc.png")
+    commands = ["$exiv2 -pS $filename"]
+    stdout = ["""STRUCTURE OF PNG FILE: $filename
+ address | chunk |  length | data                           | checksum
+       8 | eXIf  |       0 |                                | 0x00000000
+"""]
+    stderr = ["""$exiv2_exception_message $filename:
+$kerCorruptedMetadata
+"""]
+    retval = [1]

From b8ed3867c06358155fcba61ba4255d41f7be27e7 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Sat, 31 Jul 2021 14:39:11 +0100
Subject: [PATCH 2/3] Use DataBuf, rather than new[], for automatic delete when
 an exception is throw.

---
 src/pngimage.cpp | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index a6a039b6af..113dcf4f68 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -317,28 +317,29 @@ namespace Exiv2 {
 
                 if( bDump ) {
                     DataBuf   dataBuf;
-                    auto data = new byte[dataOffset + 1];
-                    data[dataOffset] = 0;
-                    bufRead = io_->read(data,dataOffset);
+                    enforce(static_cast<uint64_t>(dataOffset) < static_cast<unsigned long>(std::numeric_limits<long>::max()), kerFailedToReadImageData);
+                    DataBuf data(static_cast<long>(dataOffset) + 1);
+                    data.pData_[dataOffset] = 0;
+                    bufRead = io_->read(data.pData_, static_cast<long>(dataOffset));
                     enforce(bufRead == static_cast<long>(dataOffset), kerFailedToReadImageData);
                     io_->seek(restore, BasicIo::beg);
-                    uint32_t name_l = static_cast<uint32_t>(std::strlen(reinterpret_cast<const char*>(data))) +
-                                      1;  // leading string length
-                    enforce(name_l <= dataOffset, kerCorruptedMetadata);
+                    size_t name_l = std::strlen(reinterpret_cast<const char*>(data.pData_)) +
+                                    1; // leading string length
+                    enforce(name_l < dataOffset, kerCorruptedMetadata);
 
-                    uint32_t  start  = name_l;
+                    uint32_t  start  = static_cast<uint32_t>(name_l);
                     bool      bLF    = false;
 
                     // decode the chunk
                     bool bGood = false;
                     if ( tEXt ) {
-                        bGood = tEXtToDataBuf(data+name_l,dataOffset-name_l,dataBuf);
+                        bGood = tEXtToDataBuf(data.pData_ + name_l, dataOffset-name_l, dataBuf);
                     }
                     if ( zTXt || iCCP ) {
-                        bGood = zlibToDataBuf(data+name_l+1,dataOffset-name_l-1,dataBuf); // +1 = 'compressed' flag
+                        bGood = zlibToDataBuf(data.pData_ + name_l + 1, dataOffset - name_l - 1, dataBuf); // +1 = 'compressed' flag
                     }
                     if ( iTXt ) {
-                        bGood = (start+3) < dataOffset ;    // good if not a nul chunk
+                        bGood = (3 <= dataOffset) && (start < dataOffset-3); // good if not a nul chunk
                     }
                     if ( eXIf ) {
                         bGood = true ;// eXIf requires no pre-processing)
@@ -347,8 +348,8 @@ namespace Exiv2 {
                     // format is content dependent
                     if ( bGood ) {
                         if ( bXMP ) {
-                            while (start < dataOffset && !data[start]) start++; // skip leading nul bytes
-                            out <<  data+start;             // output the xmp
+                            while (start < dataOffset && !data.pData_[start]) start++; // skip leading nul bytes
+                            out <<  data.pData_ + start;             // output the xmp
                         }
 
                         if ( bExif || bIptc ) {
@@ -389,13 +390,12 @@ namespace Exiv2 {
                         }
                         if ( eXIf && option == kpsRecursive ) {
                             // create memio object with the data, then print the structure
-                            BasicIo::UniquePtr p = BasicIo::UniquePtr(new MemIo(data,dataOffset));
+                            BasicIo::UniquePtr p = BasicIo::UniquePtr(new MemIo(data.pData_, dataOffset));
                             printTiffStructure(*p,out,option,depth);
                         }
 
                         if ( bLF ) out << std::endl;
                     }
-                    delete[] data;
                 }
                 io_->seek(dataOffset+4, BasicIo::cur);// jump past checksum
                 if (io_->error()) throw Error(kerFailedToReadImageData);

From c641116b257e11d0fe9141acc9563dd197b56db3 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Sat, 31 Jul 2021 22:23:27 +0100
Subject: [PATCH 3/3] Add static_cast to fix build error on Windows.

---
 src/pngimage.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index 113dcf4f68..a86c154aa2 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -333,10 +333,10 @@ namespace Exiv2 {
                     // decode the chunk
                     bool bGood = false;
                     if ( tEXt ) {
-                        bGood = tEXtToDataBuf(data.pData_ + name_l, dataOffset-name_l, dataBuf);
+                        bGood = tEXtToDataBuf(data.pData_ + name_l, static_cast<unsigned long>(dataOffset - name_l), dataBuf);
                     }
                     if ( zTXt || iCCP ) {
-                        bGood = zlibToDataBuf(data.pData_ + name_l + 1, dataOffset - name_l - 1, dataBuf); // +1 = 'compressed' flag
+                        bGood = zlibToDataBuf(data.pData_ + name_l + 1, static_cast<unsigned long>(dataOffset - name_l - 1), dataBuf); // +1 = 'compressed' flag
                     }
                     if ( iTXt ) {
                         bGood = (3 <= dataOffset) && (start < dataOffset-3); // good if not a nul chunk