libexif: Fix read buffer overflow Make sure the number of bytes being copied from doesn't exceed the source buffer size. Test: testPocBug_148705132 Bug: 148705132 Change-Id: Ib0f8441f2d0d4ed33c324630a9400a8412209da7

commit: 127f882f67b38def9b5424987c32e21064f4d49c [log] [tgz]
author: Shuzhen Wang <shuzhenwang@google.com> Mon Mar 02 14:52:12 2020 -0800
committer: Shuzhen Wang <shuzhenwang@google.com> Wed Mar 04 12:57:51 2020 -0800
tree: 94bb86a29c27230cd1e776e27ebcb53239d0957d
parent: 1689c992265c8f0682a361bbc84f239109a0dc75 [diff]
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 67df4db..b8324b8 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c

@@ -295,7 +295,9 @@
 	/* Write the data. Fill unneeded bytes with 0. Do not crash with
 	 * e->data is NULL */
 	if (e->data) {
-		memcpy (*d + 6 + doff, e->data, s);
+		unsigned int len = s;
+		if (e->size < s) len = e->size;
+		memcpy (*d + 6 + doff, e->data, len);
 	} else {
 		memset (*d + 6 + doff, 0, s);
 	}
commit	127f882f67b38def9b5424987c32e21064f4d49c	[log] [tgz]
author	Shuzhen Wang <shuzhenwang@google.com>	Mon Mar 02 14:52:12 2020 -0800
committer	Shuzhen Wang <shuzhenwang@google.com>	Wed Mar 04 12:57:51 2020 -0800
tree	94bb86a29c27230cd1e776e27ebcb53239d0957d
parent	1689c992265c8f0682a361bbc84f239109a0dc75 [diff]