From 5715d71739d405f85dda19c024336e353a29390d Mon Sep 17 00:00:00 2001
From: wp_xxyyzz <wp_xxyyzz@8e941d3f-bd1b-0410-a28a-d453659cc2b4>
Date: Thu, 28 Jul 2022 20:48:21 +0000
Subject: [PATCH] fpexif: Fix some range check errors. Patch by forum user
 Mirkasp
 (https://forum.lazarus.freepascal.org/index.php/topic,60105.msg448827).

git-svn-id: https://svn.code.sf.net/p/lazarus-ccr/svn@8366 8e941d3f-bd1b-0410-a28a-d453659cc2b4
---
 components/fpexif/fpemetadata.pas |  6 +++++-
 components/fpexif/fpeutils.pas    | 25 ++++++++++++++++++++-----
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/components/fpexif/fpemetadata.pas b/components/fpexif/fpemetadata.pas
index 6758e1a90..923fdd507 100644
--- a/components/fpexif/fpemetadata.pas
+++ b/components/fpexif/fpemetadata.pas
@@ -544,7 +544,11 @@ begin
     repeat
       marker := ReadByte(AStream);
     until marker <> $FF;
-    size := BEtoN(ReadWord(AStream)) - 2;
+    size := BEToN(ReadWord(AStream));
+    if size < 2 then
+      Continue;
+    size := size - 2;
+//    size := BEtoN(ReadWord(AStream)) - 2;
     p := AStream.Position;
     case marker of
       M_EXIF:
diff --git a/components/fpexif/fpeutils.pas b/components/fpexif/fpeutils.pas
index 64b9fe1ce..406642a2f 100644
--- a/components/fpexif/fpeutils.pas
+++ b/components/fpexif/fpeutils.pas
@@ -111,7 +111,7 @@ procedure JPEGScaleImage(ASrcStream, ADestStream: TStream;
   ADestSize: Integer = DEFAULT_THUMBNAIL_SIZE);
 
 // Buffer utils
-function PosInBytes(AText: ansistring; ABuffer: TBytes): Integer;
+function PosInBytes(const AText: ansistring; const ABuffer: TBytes): Integer;
 
 // Date/time utils
 function LocalTimeZoneStr: String;
@@ -1353,9 +1353,23 @@ end;
 //                          Buffer utilities
 //==============================================================================
 
+function PosInBytes(const AText: AnsiString; const ABuffer: TBytes): Integer;
+var 
+  len: Integer;
+begin
+  len := Length(AText);
+  if (len > 0) and Assigned(ABuffer) then begin
+    for Result := Low(ABuffer) to High(ABuffer) - len + 1 do
+      if {%H-}CompareMem(@ABuffer[Result], Pointer(AText), len) then
+        exit;
+  end;
+  Result := -1;
+end;
+
+(*
 function PosInBytes(AText: AnsiString; ABuffer: TBytes): Integer;
 var
-  i, j: Integer;
+  i, j, len: Integer;
   found: Boolean;
 begin
   if (AText = '') or (ABuffer = nil) then begin
@@ -1363,10 +1377,11 @@ begin
     exit;
   end;
 
-  for i:= 0 to High(ABuffer) do
+  len := Length(AText);
+  for i:= 0 to High(ABuffer) - len + 1 do
     if ABuffer[i] = ord(AText[1]) then begin
       found := true;
-      for j := 2 to Length(AText) do
+      for j := 2 to len do
         if ABuffer[i+j-1] <> ord(AText[j]) then begin
           found := false;
           break;
@@ -1379,7 +1394,7 @@ begin
 
   Result := -1;
 end;
-
+*)
 
 //==============================================================================
 //                             Date/time utilities