Fix out-of-bounds read in CrwMap::decode0x0805

src/crwimage_int.cpp

@@ -648,7 +648,7 @@ const CrwMapping* CrwMap::crwMapping(uint16_t crwDir, uint16_t crwTagId) {
 
 void CrwMap::decode0x0805(const CiffComponent& ciffComponent, const CrwMapping* /*pCrwMapping*/, Image& image,
                           ByteOrder /*byteOrder*/) {
-  std::string s(reinterpret_cast<const char*>(ciffComponent.pData()));
+  auto s = std::string(reinterpret_cast<const char*>(ciffComponent.pData()), ciffComponent.size());
   image.setComment(s);
 }  // CrwMap::decode0x0805
 

tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py

@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path
+
+
+class CrwMap_decode0x0805_OutOfBoundsRead(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
+    """
+
+    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp"
+
+    filename = path("$data_path/issue_ghsa_9mxq_4j5g_5wrp.crw")
+    commands = ["$exiv2 $filename"]
+    stdout = ["""File name       : $filename
+File size       : 74 Bytes
+MIME type       : image/x-canon-crw
+Image size      : 0 x 0
+"""
+]
+    stderr   = ["""$filename: No Exif data found in the file
+"""]
+    retval = [253]

tests/regression_tests/test_regression_allfiles.py

@@ -122,6 +122,7 @@ def get_valid_files(data_dir):
         "issue_ghsa_g9xm_7538_mq8w_poc.mov",
         "issue_ghsa_38h4_fx85_qcx7_poc.tiff",
         "issue_ghsa_496f_x7cq_cq39_poc.jpg",
+        "issue_ghsa_9mxq_4j5g_5wrp.crw",
         "pocIssue283.jpg",
         "poc_1522.jp2",
         "xmpsdk.xmp",