exif_content_remove_entry:

1) don't unref entry that was not removed from entries
2) don't reorder entries if removal fails
3) use memmove and not memcpy, the latter is not safe for overlapping buffers

P.S. Aren't we paranoic with expecting realloc to a slightly smaller buffer to fail???

diff --git a/libexif/exif-content.c b/libexif/exif-content.c
index a80a99d..4b346b3 100644 (file)
--- a/libexif/exif-content.c
+++ b/libexif/exif-content.c
@@ -166,26 +166,24 @@ exif_content_remove_entry (ExifContent *c, ExifEntry *e)
        if (i == c->count) return;
 
        /* Remove the entry */
-       temp = c->entries[i];
-       memcpy (&c->entries[i], &c->entries[i + 1],
-                sizeof (ExifEntry*) * (c->count - i - 1));
-       e->parent = NULL;
-       exif_entry_unref (e);
+       temp = c->entries[c->count-1];
        if (c->count > 1) {
                t = exif_mem_realloc (c->priv->mem, c->entries,
                                        sizeof(ExifEntry*) * (c->count - 1));
-               if (t) {
-                       c->entries = t;
-                       c->count--;
-               } else {
-                       /* We overwrote one entry, restore it now. */
-                       c->entries[c->count-1] = temp;
+               if (!t) {
+                       return;
                }
+               c->entries = t;
+               c->count--;
+               memmove (&t[i], &t[i + 1], sizeof (ExifEntry*) * (c->count - i - 1));
+               t[c->count-1] = temp;
        } else {
                exif_mem_free (c->priv->mem, c->entries);
                c->entries = NULL;
                c->count = 0;
        }
+       e->parent = NULL;
+       exif_entry_unref (e);
 }
 
 ExifEntry *