From d942fea1cf7891818de357e08319d881b0f2f0df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= <hub@figuiere.net>
Date: Sun, 25 Feb 2018 13:28:28 -0500
Subject: [PATCH 5/5] Bug 105204 - Fix a buffer overflow in PSD parser

---
 source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp b/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp
index 0e57b49..bed14b0 100644
--- a/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp
+++ b/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp
@@ -291,6 +291,12 @@ void PSIR_FileWriter::ParseFileResources ( LFA_FileRef fileRef, XMP_Uns32 length
 		ioBuf.ptr += paddedLen;	// Move to the data length.
 		XMP_Uns32 dataLen   = GetUns32BE(ioBuf.ptr);
 		XMP_Uns32 dataTotal = ((dataLen + 1) & 0xFFFFFFFEUL);	// Round up to an even total.
+		// See bug https://bugs.freedesktop.org/show_bug.cgi?id=105204
+		// If dataLen is 0xffffffff, then dataTotal might be 0
+		// and therefor make the CheckFileSpace test pass.
+		if (dataTotal < dataLen) {
+			break;
+		}
 		ioBuf.ptr += 4;	// Advance to the resource data.
 
 		XMP_Int64 thisDataPos = ioBuf.filePos + (ioBuf.ptr - ioBuf.data);
-- 
2.17.2