From dd4659ce2d904daafe43a9facc86ce8be6db646d Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Fri, 30 Jul 2021 22:38:51 +0100
Subject: [PATCH] Add bounds-check to prevent out-of-bounds read in memcmp.

(cherry picked from commit a6253799d4e3727e32e6412798dceca4200efdda)
---
 src/jpgimage.cpp | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/src/jpgimage.cpp b/src/jpgimage.cpp
index d111e45ae2..2ab22e5911 100644
--- a/src/jpgimage.cpp
+++ b/src/jpgimage.cpp
@@ -942,28 +942,35 @@ namespace Exiv2 {
                 assert(markerHasLength(marker));
                 assert(size >= 2); // Because this marker has a length field.
                 insertPos = count + 1;
-            } else if (skipApp1Exif == notfound && marker == app1_ && memcmp(buf.pData_ + 2, exifId_, 6) == 0) {
-                enforce(size >= 8, kerNoImageInInputData);
+            } else if (skipApp1Exif == notfound &&
+                       marker == app1_ &&
+                       size >= 8 && // prevent out-of-bounds read in memcmp on next line
+                       memcmp(buf.pData_ + 2, exifId_, 6) == 0) {
                 skipApp1Exif = count;
                 ++search;
                 rawExif.alloc(size - 8);
                 memcpy(rawExif.pData_, buf.pData_ + 8, size - 8);
-            } else if (skipApp1Xmp == notfound && marker == app1_ && memcmp(buf.pData_ + 2, xmpId_, 29) == 0) {
-                enforce(size >= 31, kerNoImageInInputData);
+            } else if (skipApp1Xmp == notfound &&
+                       marker == app1_ &&
+                       size >= 31 && // prevent out-of-bounds read in memcmp on next line
+                       memcmp(buf.pData_ + 2, xmpId_, 29) == 0) {
                 skipApp1Xmp = count;
                 ++search;
-            } else if (marker == app2_ && memcmp(buf.pData_ + 2, iccId_, 11) == 0) {
-                enforce(size >= 31, kerNoImageInInputData);
+            } else if (marker == app2_ &&
+                       size >= 13 && // prevent out-of-bounds read in memcmp on next line
+                       memcmp(buf.pData_ + 2, iccId_, 11) == 0) {
                 skipApp2Icc.push_back(count);
                 if (!foundIccData) {
                     ++search;
                     foundIccData = true;
                 }
-            } else if (!foundCompletePsData && marker == app13_ && memcmp(buf.pData_ + 2, Photoshop::ps3Id_, 14) == 0) {
+            } else if (!foundCompletePsData &&
+                       marker == app13_ &&
+                       size >= 16 && // prevent out-of-bounds read in memcmp on next line
+                       memcmp(buf.pData_ + 2, Photoshop::ps3Id_, 14) == 0) {
 #ifdef EXIV2_DEBUG_MESSAGES
                 std::cerr << "Found APP13 Photoshop PS3 segment\n";
 #endif
-                enforce(size >= 16, kerNoImageInInputData);
                 skipApp13Ps3.push_back(count);
                 // Append to psBlob
                 append(psBlob, buf.pData_ + 16, size - 16);