From 51dd79380c12616525eae06b8c5f0d922585ee39 Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Thu, 12 Jul 2012 10:11:30 -0700
Subject: [PATCH] Fixed an off-by-one error in exif_convert_utf16_to_utf8()
 This can cause a one-byte NUL write past the end of the buffer. This fixes
 CVE-2012-2840

---
 libexif/exif-utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libexif/exif-utils.c b/libexif/exif-utils.c
index 22ee29f..f375de1 100644
--- a/libexif/exif-utils.c
+++ b/libexif/exif-utils.c
@@ -239,7 +239,7 @@ exif_convert_utf16_to_utf8 (char *out, const unsigned short *in, int maxlen)
 				break;
 			}
 		} else {
-			if (maxlen > 2) {
+			if (maxlen > 3) {
 				*out++ = ((*in >> 12) & 0x0F) | 0xE0;
 				*out++ = ((*in >> 6) & 0x3F) | 0x80;
 				*out++ = (*in++ & 0x3F) | 0x80;
-- 
2.7.4