fix a read-one-byte-beyond issue in jpeg load

libvips could harmlessly read beyond the end of a string with a crafted jpg
file

ChangeLog

@@ -8,6 +8,7 @@
 - add locks for pdfium load
 - fix build with MSVC 
 - fix a problem with shinkv tail processing [angelmixu]
+- fix a read one byte beyond buffer bug in jpegload
 
 24/5/19 started 8.8.1
 - improve realpath() use on older libc

libvips/foreign/jpeg2vips.c

@@ -338,13 +338,16 @@ attach_xmp_blob( VipsImage *im, void *data, int data_length )
 	char *p = (char *) data;
 	int i;
 
-	if( !vips_isprefix( "http", p ) ) 
+	if( data_length < 4 ||
+		!vips_isprefix( "http", p ) ) 
 		return( 0 );
 
 	/* Search for a null char within the first few characters. 80
 	 * should be plenty for a basic URL.
+	 *
+	 * -2 for the extra null.
 	 */
-	for( i = 0; i < 80; i++ )
+	for( i = 0; i < VIPS_MIN( 80, data_length - 2 ); i++ )
 		if( !p[i] ) 
 			break;
 	if( p[i] )

libvips/iofuncs/header.c

@@ -1451,12 +1451,15 @@ vips_image_set_blob_copy( VipsImage *image,
 {
 	void *data_copy;
 
+	/* Cap at 100mb for sanity.
+	 */
 	if( !data ||
-		length == 0 )
+		length == 0 ||
+		length > 100 * 1024 * 1024 )
 		return;
 
 	/* We add an extra, secret null byte at the end, just in case this blob 
-	 * is read as a C string. The libtiff reader (for example) attaches
+	 * is read as a C string. The libtiff reader attaches
 	 * XMP XML as a blob, for example.
 	 */
 	if( !(data_copy = vips_malloc( NULL, length + 1 )) )