From 847a5e817ccdbc3bc4eb979c7c2425ef9a2d7243 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milo=C5=A1=20Komar=C4=8Devi=C4=87?=
 <miloskomarcevic@aim.com>
Date: Thu, 19 May 2022 15:09:51 +0200
Subject: [PATCH] Account for header bytes for Exif and XMP boxes (backport
 #2234)

---
 src/bmffimage.cpp | 42 ++++++++++++++++++++----------------------
 1 file changed, 20 insertions(+), 22 deletions(-)

diff --git a/src/bmffimage.cpp b/src/bmffimage.cpp
index 44874036e6..5dbfc6d226 100644
--- a/src/bmffimage.cpp
+++ b/src/bmffimage.cpp
@@ -482,10 +482,10 @@ namespace Exiv2
                 parseTiff(Internal::Tag::cmt4, box_length);
                 break;
             case TAG_exif:
-                parseTiff(Internal::Tag::root, box_length,address+8);
+                parseTiff(Internal::Tag::root, buffer_size, io_->tell());
                 break;
             case TAG_xml:
-                parseXmp(box_length,io_->tell());
+                parseXmp(buffer_size, io_->tell());
                 break;
             case TAG_thmb:
                 switch (version) {
@@ -568,29 +568,27 @@ namespace Exiv2
 
     void BmffImage::parseXmp(uint64_t length,uint64_t start)
     {
-        if (length > 8) {
-            enforce(start <= io_->size(), kerCorruptedMetadata);
-            enforce(length <= io_->size() - start, kerCorruptedMetadata);
-
-            long restore = io_->tell() ;
-            enforce(start <= static_cast<unsigned long>(std::numeric_limits<long>::max()), kerCorruptedMetadata);
-            io_->seek(static_cast<long>(start),BasicIo::beg);
+        enforce(start <= io_->size(), kerCorruptedMetadata);
+        enforce(length <= io_->size() - start, kerCorruptedMetadata);
 
-            enforce(length < static_cast<unsigned long>(std::numeric_limits<long>::max()), kerCorruptedMetadata);
-            DataBuf  xmp(static_cast<long>(length+1));
-            xmp.pData_[length]=0  ; // ensure xmp is null terminated!
-            if ( io_->read(xmp.pData_, static_cast<long>(length)) != static_cast<long>(length) )
-                throw Error(kerInputDataReadFailed);
-            if ( io_->error() )
-                throw Error(kerFailedToReadImageData);
-            try {
-                Exiv2::XmpParser::decode(xmpData(), std::string(reinterpret_cast<char*>(xmp.pData_)));
-            } catch (...) {
-                throw Error(kerFailedToReadImageData);
-            }
+        long restore = io_->tell() ;
+        enforce(start <= static_cast<unsigned long>(std::numeric_limits<long>::max()), kerCorruptedMetadata);
+        io_->seek(static_cast<long>(start),BasicIo::beg);
 
-            io_->seek(restore,BasicIo::beg);
+        enforce(length < static_cast<unsigned long>(std::numeric_limits<long>::max()), kerCorruptedMetadata);
+        DataBuf  xmp(static_cast<long>(length+1));
+        xmp.pData_[length]=0  ; // ensure xmp is null terminated!
+        if ( io_->read(xmp.pData_, static_cast<long>(length)) != static_cast<long>(length) )
+            throw Error(kerInputDataReadFailed);
+        if ( io_->error() )
+            throw Error(kerFailedToReadImageData);
+        try {
+            Exiv2::XmpParser::decode(xmpData(), std::string(reinterpret_cast<char*>(xmp.pData_)));
+        } catch (...) {
+            throw Error(kerFailedToReadImageData);
         }
+
+        io_->seek(restore,BasicIo::beg);
     }
 
     void BmffImage::parseCr3Preview(DataBuf &data,