Blame SOURCES/exiv2-CVE-2018-12264-CVE-2018-12265.patch

3f58c5
diff --git a/src/preview.cpp b/src/preview.cpp
3f58c5
index 69f8e01..d20de04 100644
3f58c5
--- a/src/preview.cpp
3f58c5
+++ b/src/preview.cpp
3f58c5
@@ -37,6 +37,7 @@ EXIV2_RCSID("@(#) $Id$")
3f58c5
 #include "preview.hpp"
3f58c5
 #include "futils.hpp"
3f58c5
 #include "enforce.hpp"
3f58c5
+#include "safe_op.hpp"
3f58c5
3f58c5
 #include "image.hpp"
3f58c5
 #include "cr2image.hpp"
3f58c5
@@ -386,7 +387,7 @@ namespace {
3f58c5
             return AutoPtr();
3f58c5
3f58c5
         if (loaderList_[id].imageMimeType_ &&
3f58c5
-            std::string(loaderList_[id].imageMimeType_) != std::string(image.mimeType()))
3f58c5
+            std::string(loaderList_[id].imageMimeType_) != image.mimeType())
3f58c5
             return AutoPtr();
3f58c5
3f58c5
         AutoPtr loader = loaderList_[id].create_(id, image, loaderList_[id].parIdx_);
3f58c5
@@ -548,7 +549,8 @@ namespace {
3f58c5
             }
3f58c5
         }
3f58c5
3f58c5
-        if (offset_ + size_ > static_cast<uint32_t>(image_.io().size())) return;
3f58c5
+        if (Safe::add(offset_, size_) > static_cast<uint32_t>(image_.io().size()))
3f58c5
+            return;
3f58c5
3f58c5
         valid_ = true;
3f58c5
     }
3f58c5
@@ -802,7 +804,7 @@ namespace {
3f58c5
                     // this saves one copying of the buffer
3f58c5
                     uint32_t offset = dataValue.toLong(0);
3f58c5
                     uint32_t size = sizes.toLong(0);
3f58c5
-                    if (offset + size <= static_cast<uint32_t>(io.size()))
3f58c5
+                    if (Safe::add(offset, size) <= static_cast<uint32_t>(io.size()))
3f58c5
                         dataValue.setDataArea(base + offset, size);
3f58c5
                 }
3f58c5
                 else {
3f58c5
@@ -812,8 +814,8 @@ namespace {
3f58c5
                     for (int i = 0; i < sizes.count(); i++) {
3f58c5
                         uint32_t offset = dataValue.toLong(i);
3f58c5
                         uint32_t size = sizes.toLong(i);
3f58c5
-                        enforce(idxBuf + size < size_, kerCorruptedMetadata);
3f58c5
-                        if (size!=0 && offset + size <= static_cast<uint32_t>(io.size()))
3f58c5
+                        enforce(Safe::add(idxBuf, size) < size_, kerCorruptedMetadata);
3f58c5
+                        if (size!=0 && Safe::add(offset, size) <= static_cast<uint32_t>(io.size()))
3f58c5
                             memcpy(&buf.pData_[idxBuf], base + offset, size);
3f58c5
                         idxBuf += size;
3f58c5
                     }
3f58c5
@@ -930,7 +932,7 @@ namespace {
3f58c5
3f58c5
     DataBuf decodeBase64(const std::string& src)
3f58c5
     {
3f58c5
-        const unsigned long srcSize = static_cast<const unsigned long>(src.size());
3f58c5
+        const unsigned long srcSize = src.size();
3f58c5
3f58c5
         // create decoding table
3f58c5
         unsigned long invalid = 64;