Snap for 6282349 from ff237a0c1a223a8dac0dc7e056b7b5c3b5d91709 to qt-d4-releaseandroid-10.0.0_r45android-10.0.0_r44android-10.0.0_r43android-10.0.0_r42android10-d4-s1-releaseandroid10-d4-release

Change-Id: Ib0c1f0331fdcb88d15e8cb7a149c70cdba822ab6

1 files changed, 6 insertions, 3 deletions

diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index adfb512..80d9346 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -39,6 +39,7 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
+#include <limits.h>
 
 #undef JPEG_MARKER_SOI
 #define JPEG_MARKER_SOI  0xd8
@@ -299,7 +300,9 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
 	/* Write the data. Fill unneeded bytes with 0. Do not crash with
 	 * e->data is NULL */
 	if (e->data) {
-		memcpy (*d + 6 + doff, e->data, s);
+		unsigned int len = s;
+		if (e->size < s) len = e->size;
+		memcpy (*d + 6 + doff, e->data, len);
 	} else {
 		memset (*d + 6 + doff, 0, s);
 	}
@@ -383,9 +386,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
 	}
 
 	/* Read the number of entries */
-	if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
+	if ((offset > UINT_MAX - 2) || (offset + 2 > ds)) {
 		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
-			  "Tag data past end of buffer (%u > %u)", offset+2, ds);
+			  "Tag data past end of buffer (%u + 2 > %u)", offset, ds);
 		return;
 	}
 	n = exif_get_short (d + offset, data->priv->order);