Snap for 6282349 from ff237a0c1a223a8dac0dc7e056b7b5c3b5d91709 to qt-d4-release
Change-Id: Ib0c1f0331fdcb88d15e8cb7a149c70cdba822ab6
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index adfb512..80d9346 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -39,6 +39,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
+#include <limits.h>
#undef JPEG_MARKER_SOI
#define JPEG_MARKER_SOI 0xd8
@@ -299,7 +300,9 @@
/* Write the data. Fill unneeded bytes with 0. Do not crash with
* e->data is NULL */
if (e->data) {
- memcpy (*d + 6 + doff, e->data, s);
+ unsigned int len = s;
+ if (e->size < s) len = e->size;
+ memcpy (*d + 6 + doff, e->data, len);
} else {
memset (*d + 6 + doff, 0, s);
}
@@ -383,9 +386,9 @@
}
/* Read the number of entries */
- if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
+ if ((offset > UINT_MAX - 2) || (offset + 2 > ds)) {
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
- "Tag data past end of buffer (%u > %u)", offset+2, ds);
+ "Tag data past end of buffer (%u + 2 > %u)", offset, ds);
return;
}
n = exif_get_short (d + offset, data->priv->order);
