From da59f94392b7317d6714928dde8c52420dfaa014 Mon Sep 17 00:00:00 2001
From: DAN-MU-ZI <39262980+DAN-MU-ZI@users.noreply.github.com>
Date: Mon, 25 Nov 2024 18:23:36 +0900
Subject: [PATCH] Issue #685 | Validate stringLength in ICC DESC tag to prevent
 exceptions

Resolved an issue where malformed ICC profiles could cause a
StringIndexOutOfBoundsException during DESC tag processing.

- Added validation to ensure `stringLength` is non-negative and does not
  exceed `bytes.length - 12`.
- Throws `BufferBoundsException` with a detailed message for invalid cases.
- Ensures corrupted ICC profiles are handled gracefully.
---
 Source/com/drew/metadata/icc/IccDescriptor.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Source/com/drew/metadata/icc/IccDescriptor.java b/Source/com/drew/metadata/icc/IccDescriptor.java
index 98b11393c..70b7b8590 100644
--- a/Source/com/drew/metadata/icc/IccDescriptor.java
+++ b/Source/com/drew/metadata/icc/IccDescriptor.java
@@ -21,6 +21,7 @@
 
 package com.drew.metadata.icc;
 
+import com.drew.lang.BufferBoundsException;
 import com.drew.lang.ByteArrayReader;
 import com.drew.lang.RandomAccessReader;
 import com.drew.lang.annotations.NotNull;
@@ -91,6 +92,11 @@ private String getTagDataString(int tagType)
                     }
                 case ICC_TAG_TYPE_DESC:
                     int stringLength = reader.getInt32(8);
+
+                    if (stringLength < 0 || stringLength > (bytes.length - 12)) {
+                        throw new BufferBoundsException(12, stringLength, bytes.length);
+                    }
+
                     return new String(bytes, 12, stringLength - 1);
                 case ICC_TAG_TYPE_SIG:
                     return IccReader.getStringFromInt32(reader.getInt32(8));