An integer overflow in src/pngimage.cpp#L306

[legend-issue]

$rax   : 0x0000000000000000
$rbx   : 0x0000000000ec10a0  →  "XML:com.adobe.xmp<?xpacket begin=" " id="W5M0MpCeh[...]"
$rcx   : 0x000000000001d62f
$rdx   : 0x00000000000001df
$rsp   : 0x00007fffffffdaa0  →  0x0000000000ec0db0  →  0x00007ffffbad2488
$rbp   : 0x0000000000ec19ca  →  0x00000000000000ec
$rsi   : 0x00000000000001df
$rdi   : 0x0000000000000000
$rip   : 0x0000000000800671  →  <Exiv2::PngImage::printStructure(std::ostream&,+0> movzx r11d, BYTE PTR [rbp+rcx*1+0x7]
$r8    : 0x0000000000000000
$r9    : 0x00000000000001df
$r10   : 0x0000000000000000
$r11   : 0xffffffffffffffff
$r12   : 0x00007fffffffdc60  →  0x000000000000001e
$r13   : 0x0000000000ec0aa0  →  0x0000000000c09ab0  →  0x0000000000805d00  →  <Exiv2::PngImage::~PngImage()+0> lea rsp, [rsp-0x98]
$r14   : 0x00000000ffffffff
$r15   : 0x0000000000ec0c60  →  0x7458457450000000
$eflags: [CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$es: 0x0000  $gs: 0x0000  $ss: 0x002b  $ds: 0x0000  $fs: 0x0000  $cs: 0x0033  
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffdaa0│+0x00: 0x0000000000ec0db0  →  0x00007ffffbad2488	 ← $rsp
0x00007fffffffdaa8│+0x08: 0x00000050f697e571
0x00007fffffffdab0│+0x10: 0x0000000000000051 ("Q"?)
0x00007fffffffdab8│+0x18: 0x00007fffffffdc80  →  0x000000000000001e
0x00007fffffffdac0│+0x20: 0x0000000000000001
0x00007fffffffdac8│+0x28: 0x0000000000000002
0x00007fffffffdad0│+0x30: 0x00000001ffffffff
0x00007fffffffdad8│+0x38: 0x000000000000c474
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
     0x80065f <Exiv2::PngImage::printStructure(std::ostream&,+0> or     eax, 0xdb194d06
     0x800664 <Exiv2::PngImage::printStructure(std::ostream&,+0> cmp    DWORD PTR [rax*4+0xe9b440], 0x1
     0x80066c <Exiv2::PngImage::printStructure(std::ostream&,+0> lea    rdx, [rsi+r11*1+0x1]
 →   0x800671 <Exiv2::PngImage::printStructure(std::ostream&,+0> movzx  r11d, BYTE PTR [rbp+rcx*1+0x7]
     0x800677 <Exiv2::PngImage::printStructure(std::ostream&,+0> sbb    r9, r9
     0x80067a <Exiv2::PngImage::printStructure(std::ostream&,+0> cmp    DWORD PTR [rdi*4+0xe9b440], 0x1
     0x800682 <Exiv2::PngImage::printStructure(std::ostream&,+0> lea    r10, [rdx+r9*1+0x1]
     0x800687 <Exiv2::PngImage::printStructure(std::ostream&,+0> sbb    rsi, rsi
     0x80068a <Exiv2::PngImage::printStructure(std::ostream&,+0> cmp    DWORD PTR [r11*4+0xe9b440], 0x1
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:pngimage.cpp+164 ]────
    159	         // header is \nsomething\n number\n hex
    160	         while ( count < 3 )
    161	             if ( *p++ == '\n' )
    162	                 count++;
    163	         for ( long i = 0 ; i < length ; i++ )
 →  164	             if ( value[p[i]] )
    165	                 ++count;
    166	         result.alloc((count+1)/2) ;
    167	 
    168	         // hex to binary
    169	         count   = 0 ;
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "exiv2", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x800671 → Name: Exiv2::tEXtToDataBuf(result=@0x7fffffffdb20, length=0xffffffff, bytes=0xec10f1 "-Modify\301\006")
[#1] 0x800671 → Name: Exiv2::PngImage::printStructure(this=0xec0aa0, out=@0xe90640, option=Exiv2::kpsXMP, depth=0x0)
[#2] 0x46bdc5 → Name: Action::Print::printStructure(this=0xec1cc0, out=@0xe90640, option=Exiv2::kpsXMP)
[#3] 0x486cfd → Name: Action::Print::run(this=0xec1cc0, path="id:000114,orig:c-m1-1fc0c0de88608a9445d6f98a544b5abc.png")
[#4] 0x40772d → Name: main(argc=0x3, argv=0x7fffffffdef8)
[#5] 0x7ffff6926830 → Name: __libc_start_main(main=0x4073d0 <main(int, char* const*)>, argc=0x3, argv=0x7fffffffdef8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdee8)
[#6] 0x4277c9 → Name: _start()

command : exiv2 -pX [poc]
https://github.com/legend-issue/pocs/blob/master/exiv2/id:000114%2Corig:c-m1-1fc0c0de88608a9445d6f98a544b5abc.png

[D4N]

@legend-issue Was this also not an issue as #305?

[legend-issue]

Yes,I think so.