File CVE-2019-20421.patch of Package exiv2.26214

Index: exiv2-0.23/src/jp2image.cpp
===================================================================
--- exiv2-0.23.orig/src/jp2image.cpp
+++ exiv2-0.23/src/jp2image.cpp
@@ -149,6 +149,16 @@ namespace Exiv2
         throw(Error(32, "Image comment", "JP2"));
     } // Jp2Image::setComment
 
+static void boxes_check(size_t b,size_t m)
+{
+    if ( b > m ) {
+#ifdef DEBUG
+        std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
+#endif
+        throw Error(kerCorruptedMetadata);
+    }
+}
+
     void Jp2Image::readMetadata()
     {
 #ifdef DEBUG
@@ -171,9 +181,12 @@ namespace Exiv2
         Jp2BoxHeader      subBox    = {0,0};
         Jp2ImageHeaderBox ihdr      = {0,0,0,0,0,0,0,0};
         Jp2UuidBox        uuid      = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+        size_t            boxes     = 0 ;
+        size_t            boxem     = 1000 ; // boxes max
 
         while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
         {
+            boxes_check(boxes++,boxem );
             position      = io_->tell();
             box.boxLength = getLong((byte*)&box.boxLength, bigEndian);
 #ifdef DEBUG
@@ -206,8 +219,12 @@ namespace Exiv2
 
                     if (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox))
                     {
+                        boxes_check(boxes++, boxem);
                         subBox.boxLength = getLong((byte*)&subBox.boxLength, bigEndian);
                         subBox.boxType   = getLong((byte*)&subBox.boxType, bigEndian);
+                        if (subBox.boxLength > io_->size() ) {
+                            throw Error(kerCorruptedMetadata);
+                        }
 
                         if((subBox.boxType == kJp2BoxTypeImageHeader) &&
                            (io_->read((byte*)&ihdr, sizeof(ihdr)) == sizeof(ihdr)))