File CVE-2018-11531.patch of Package exiv2.26214

Index: exiv2-0.23/src/preview.cpp
===================================================================
--- exiv2-0.23.orig/src/preview.cpp
+++ exiv2-0.23/src/preview.cpp
@@ -41,6 +41,7 @@ EXIV2_RCSID("@(#) $Id: preview.cpp 2698
 
 #include "preview.hpp"
 #include "futils.hpp"
+#include "enforce.hpp"
 
 #include "image.hpp"
 #include "cr2image.hpp"
@@ -809,13 +810,14 @@ namespace {
                 else {
                     // FIXME: the buffer is probably copied twice, it should be optimized
                     DataBuf buf(size_);
-                    Exiv2::byte* pos = buf.pData_;
+                    uint32_t idxBuf = 0;
                     for (int i = 0; i < sizes.count(); i++) {
                         uint32_t offset = dataValue.toLong(i);
                         uint32_t size = sizes.toLong(i);
-                        if (offset + size <= static_cast<uint32_t>(io.size()))
-                            memcpy(pos, base + offset, size);
-                        pos += size;
+                        enforce(idxBuf + size < size_, kerCorruptedMetadata);
+                        if (size!=0 && offset + size <= static_cast<uint32_t>(io.size()))
+                            memcpy(&buf.pData_[idxBuf], base + offset, size);
+                        idxBuf += size;
                     }
                     dataValue.setDataArea(buf.pData_, buf.size_);
                 }