config/aclocal.m4 | 12 9 + 3 - 0 !
configure | 12 9 + 3 - 0 !
2 files changed, 18 insertions(+), 6 deletions(-)

---

src/makernote.cpp | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

---

src/tiffcomposite.cpp | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] #1296 fix submitted.

src/error.cpp | 3 2 + 1 - 0 !
src/pngchunk.cpp | 4 4 + 0 - 0 !
2 files changed, 6 insertions(+), 1 deletion(-)

 [patch] analyze minimum needed number of null separators in
 PngChunk::parseTXTChunk

This commit fixes the heap-buffer-overflow in PngChunk::parseTXTChunk.

According to the specification:
http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html

There must be 2 null separators when we start to analyze the language tag.

(cherry picked from commit 2fb00c8a16ce93756cddd70536e361a49369ba88)
[rcs: Backported to stretch]

src/pngchunk.cpp | 20 15 + 5 - 0 !
1 file changed, 15 insertions(+), 5 deletions(-)

 [patch] check validity of compressionflag & compressionmethod

(cherry picked from commit 3ad0050469e6ea63b4081f2a88c264ce8ab55c51)
[rcs: Backported to stretch]

src/exiv2.cpp | 48 27 + 21 - 0 !
1 file changed, 27 insertions(+), 21 deletions(-)

 [patch] catch all exceptions not caught in exiv2 cli-tool

It effectively looks the same as before, only now we don't call abort() but
instead clean up everything gracefully.

(cherry picked from commit f4e8ed2fd48d012467b99552f0d6378302a23c75)
[rcs: Backported to stretch]

src/preview.cpp | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] prevent call to memcpy with size==0

(cherry picked from commit ed874703ad553338f973d537b8159d0eb4375cc4)
[rcs: Backported to stretch]

src/preview.cpp | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] use index to access buf.pdata_

(cherry picked from commit 863aaebc92ff0b0ee3d302b7b5291002c043bc7b)
[rcs: Backported to stretch]

src/preview.cpp | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] throw when trying to write out of the buffer

(cherry picked from commit 67a5a741153c876a6f1c189abb874721d1725c48)
[rcs: Backported to stretch]

src/safe_op.hpp | 307 307 + 0 - 0 !
1 file changed, 307 insertions(+)

---

src/preview.cpp | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 [patch] add offset_ and size_ safely in
 LoaderExifJpeg::LoaderExifJpeg

offset_ can become arbitrarily large and overflows once its added to size_,
this causes all kinds of problems further in the code when offset_ is used
again.
=> Use Safe::add() to catch potential overflows
This fixes #365.

(cherry picked from commit 937a1a2bd067b8b3b787f3757089d972f3a39853)
[rcs: Backported to stretch]

src/preview.cpp | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] fix addition overflows in range checks in loadertiff::getdata

Several checks for extracted values performed no overflow checks on the
addition. They can be tricked into passing, albeit the individual summands are
too large.
=> use Safe::add() which now aborts when an overflow occurs
This fixes #366

(cherry picked from commit fe70939f54476e99046245ca69ff27012401f759)
[rcs: Backported to stretch]

src/Makefile | 3 2 + 1 - 0 !
src/helper_functions.cpp | 38 38 + 0 - 0 !
src/helper_functions.hpp | 49 49 + 0 - 0 !
3 files changed, 89 insertions(+), 1 deletion(-)

---

src/pngchunk.cpp | 63 36 + 27 - 0 !
1 file changed, 36 insertions(+), 27 deletions(-)

 [patch] add overflow & overread checks to pngchunk::parsetxtchunk()

This function was creating a lot of new pointers and strings without
properly checking the array bounds. This commit adds several calls
to enforce(), making sure that the pointers stay within bounds.
Strings are now created using the helper function
string_from_unterminated() to prevent overreads in the constructor of
std::string.

This fixes #400