From f80403767b34818f3298d7ae54e6b36315f3b0a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milo=C5=A1=20Komar=C4=8Devi=C4=87?=
 <miloskomarcevic@aim.com>
Date: Wed, 10 May 2023 18:35:08 +0200
Subject: [PATCH] BMFF: fix handling of boxes w/ zero length or type

---
 src/bmffimage.cpp                                  |   7 ++++++-
 test/data/pr_2612_poc.heic                         | Bin 0 -> 80 bytes
 .../data/test_reference_files/pr_2612_poc.heic.out |   1 +
 3 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 test/data/pr_2612_poc.heic
 create mode 100644 test/data/test_reference_files/pr_2612_poc.heic.out

diff --git a/src/bmffimage.cpp b/src/bmffimage.cpp
index ce61aeeb6..185672b9b 100644
--- a/src/bmffimage.cpp
+++ b/src/bmffimage.cpp
@@ -110,7 +110,7 @@ static bool skipBox(uint32_t box) {
   // Allows boxHandler() to optimise the reading of files by identifying
   // box types that we're not interested in. Box types listed here must
   // not appear in the cases in switch (box_type) in boxHandler().
-  return box == TAG_mdat;  // mdat is where the main image lives and can be huge
+  return box == 0 || box == TAG_mdat;  // mdat is where the main image lives and can be huge
 }
 
 std::string BmffImage::mimeType() const {
@@ -277,6 +277,11 @@ uint64_t BmffImage::boxHandler(std::ostream& out /* = std::cout*/, Exiv2::PrintS
     box_length = data.read_uint64(0, endian_);
   }
 
+  if (box_length == 0) {
+    // Zero length is also valid and indicates box extends to the end of file.
+    box_length = pbox_end - address;
+  }
+
   // read data in box and restore file position
   const size_t restore = io_->tell();
   Internal::enforce(box_length >= hdrsize, Exiv2::ErrorCode::kerCorruptedMetadata);
diff --git a/test/data/pr_2612_poc.heic b/test/data/pr_2612_poc.heic
new file mode 100644
index 0000000000000000000000000000000000000000..036c6cf32c5e98dda6da4c18b2851c6f66760242
GIT binary patch
literal 80
ecmZQzV30^FsVvAy%}izh0uY^>nPv!LlLG*=5e9nz

literal 0
HcmV?d00001

diff --git a/test/data/test_reference_files/pr_2612_poc.heic.out b/test/data/test_reference_files/pr_2612_poc.heic.out
new file mode 100644
index 000000000..8b1378917
--- /dev/null
+++ b/test/data/test_reference_files/pr_2612_poc.heic.out
@@ -0,0 +1 @@
+