Fix integer overflow by checking size against header_size

Note that the problem occurs when data_size is less than header_size what causes a buffer overflow in &data[i] Co-Authored-By: D4N <dan.cermak@cgc-instruments.com>
Exiv2 · Jul 15, 2019 · e925bc5 · e925bc5
1 parent a048325
commit e925bc5
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/webpimage.cpp b/src/webpimage.cpp
@@ -827,8 +827,9 @@ namespace Exiv2 {
         }
     }
 
-    long WebPImage::getHeaderOffset(byte *data, long data_size,
-                                    byte *header, long header_size) {
+    long WebPImage::getHeaderOffset(byte* data, long data_size, byte* header, long header_size)
+    {
+        if (data_size < header_size) { return -1; }
         long pos = -1;
         for (long i=0; i < data_size - header_size; i++) {
             if (memcmp(header, &data[i], header_size) == 0) {