libexif: Fix read buffer overflow
Make sure the number of bytes being copied from doesn't exceed the
source buffer size.
Test: testPocBug_148705132
Bug: 148705132
Change-Id: Ib0f8441f2d0d4ed33c324630a9400a8412209da7
(cherry picked from commit 127f882f67b38def9b5424987c32e21064f4d49c)
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 67df4db..b8324b8 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -295,7 +295,9 @@
/* Write the data. Fill unneeded bytes with 0. Do not crash with
* e->data is NULL */
if (e->data) {
- memcpy (*d + 6 + doff, e->data, s);
+ unsigned int len = s;
+ if (e->size < s) len = e->size;
+ memcpy (*d + 6 + doff, e->data, len);
} else {
memset (*d + 6 + doff, 0, s);
}