Blame SOURCES/exiv2-CVE-2018-12264-CVE-2018-12265.patch

4a042c
diff --git a/src/preview.cpp b/src/preview.cpp
4a042c
index 69f8e01..d20de04 100644
4a042c
--- a/src/preview.cpp
4a042c
+++ b/src/preview.cpp
4a042c
@@ -37,6 +37,7 @@ EXIV2_RCSID("@(#) $Id$")
4a042c
 #include "preview.hpp"
4a042c
 #include "futils.hpp"
4a042c
 #include "enforce.hpp"
4a042c
+#include "safe_op.hpp"
4a042c
4a042c
 #include "image.hpp"
4a042c
 #include "cr2image.hpp"
4a042c
@@ -386,7 +387,7 @@ namespace {
4a042c
             return AutoPtr();
4a042c
4a042c
         if (loaderList_[id].imageMimeType_ &&
4a042c
-            std::string(loaderList_[id].imageMimeType_) != std::string(image.mimeType()))
4a042c
+            std::string(loaderList_[id].imageMimeType_) != image.mimeType())
4a042c
             return AutoPtr();
4a042c
4a042c
         AutoPtr loader = loaderList_[id].create_(id, image, loaderList_[id].parIdx_);
4a042c
@@ -548,7 +549,8 @@ namespace {
4a042c
             }
4a042c
         }
4a042c
4a042c
-        if (offset_ + size_ > static_cast<uint32_t>(image_.io().size())) return;
4a042c
+        if (Safe::add(offset_, size_) > static_cast<uint32_t>(image_.io().size()))
4a042c
+            return;
4a042c
4a042c
         valid_ = true;
4a042c
     }
4a042c
@@ -802,7 +804,7 @@ namespace {
4a042c
                     // this saves one copying of the buffer
4a042c
                     uint32_t offset = dataValue.toLong(0);
4a042c
                     uint32_t size = sizes.toLong(0);
4a042c
-                    if (offset + size <= static_cast<uint32_t>(io.size()))
4a042c
+                    if (Safe::add(offset, size) <= static_cast<uint32_t>(io.size()))
4a042c
                         dataValue.setDataArea(base + offset, size);
4a042c
                 }
4a042c
                 else {
4a042c
@@ -812,8 +814,8 @@ namespace {
4a042c
                     for (int i = 0; i < sizes.count(); i++) {
4a042c
                         uint32_t offset = dataValue.toLong(i);
4a042c
                         uint32_t size = sizes.toLong(i);
4a042c
-                        enforce(idxBuf + size < size_, kerCorruptedMetadata);
4a042c
-                        if (size!=0 && offset + size <= static_cast<uint32_t>(io.size()))
4a042c
+                        enforce(Safe::add(idxBuf, size) < size_, kerCorruptedMetadata);
4a042c
+                        if (size!=0 && Safe::add(offset, size) <= static_cast<uint32_t>(io.size()))
4a042c
                             memcpy(&buf.pData_[idxBuf], base + offset, size);
4a042c
                         idxBuf += size;
4a042c
                     }
4a042c
@@ -930,7 +932,7 @@ namespace {
4a042c
4a042c
     DataBuf decodeBase64(const std::string& src)
4a042c
     {
4a042c
-        const unsigned long srcSize = static_cast<const unsigned long>(src.size());
4a042c
+        const unsigned long srcSize = src.size();
4a042c
4a042c
         // create decoding table
4a042c
         unsigned long invalid = 64;