From 8e14663e34a43f4dcf62848d1494389c8f3c5da3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milo=C5=A1=20Komar=C4=8Devi=C4=87?=
 <miloskomarcevic@aim.com>
Date: Thu, 11 May 2023 10:47:51 +0200
Subject: [PATCH] BMFF: fix handling of boxes w/ zero length or type (backport
 #2612)

---
 src/bmffimage.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/bmffimage.cpp b/src/bmffimage.cpp
index ce36428946..fcf9d38a92 100644
--- a/src/bmffimage.cpp
+++ b/src/bmffimage.cpp
@@ -134,7 +134,7 @@ namespace Exiv2
         // Allows boxHandler() to optimise the reading of files by identifying
         // box types that we're not interested in. Box types listed here must
         // not appear in the cases in switch (box_type) in boxHandler().
-        return box == TAG_mdat; // mdat is where the main image lives and can be huge
+        return box == 0 || box == TAG_mdat; // mdat is where the main image lives and can be huge
     }
 
     std::string BmffImage::mimeType() const
@@ -238,6 +238,11 @@ namespace Exiv2
             box_length = getULongLong(data.pData_, endian_);
         }
 
+        if (box_length == 0) {
+            // Zero length is also valid and indicates box extends to the end of file.
+            box_length = pbox_end - address;
+        }
+
         // read data in box and restore file position
         long restore = io_->tell();
         enforce(box_length >= hdrsize, Exiv2::kerCorruptedMetadata);