From 6de5f4d44e1e670da3943f9ac521640678bab1f8 Mon Sep 17 00:00:00 2001
From: Jan Patera <patera@pictview.com>
Date: Sat, 26 Jul 2008 09:56:45 +0200
Subject: [PATCH] exif_content_remove_entry: 1) don't unref entry that was not
 removed from entries 2) don't reorder entries if removal fails 3) use memmove
 and not memcpy, the latter is not safe for overlapping buffers

P.S. Aren't we paranoic with expecting realloc to a slightly smaller buffer to fail???
---
 libexif/exif-content.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/libexif/exif-content.c b/libexif/exif-content.c
index a80a99d..4b346b3 100644
--- a/libexif/exif-content.c
+++ b/libexif/exif-content.c
@@ -166,26 +166,24 @@ exif_content_remove_entry (ExifContent *c, ExifEntry *e)
 	if (i == c->count) return;
 
 	/* Remove the entry */
-	temp = c->entries[i];
-	memcpy (&c->entries[i], &c->entries[i + 1],
-		 sizeof (ExifEntry*) * (c->count - i - 1));
-	e->parent = NULL;
-	exif_entry_unref (e);
+	temp = c->entries[c->count-1];
 	if (c->count > 1) {
 		t = exif_mem_realloc (c->priv->mem, c->entries,
 					sizeof(ExifEntry*) * (c->count - 1));
-		if (t) {
-			c->entries = t;
-			c->count--;
-		} else {
-			/* We overwrote one entry, restore it now. */
-			c->entries[c->count-1] = temp;
+		if (!t) {
+			return;
 		}
+		c->entries = t;
+		c->count--;
+		memmove (&t[i], &t[i + 1], sizeof (ExifEntry*) * (c->count - i - 1));
+		t[c->count-1] = temp;
 	} else {
 		exif_mem_free (c->priv->mem, c->entries);
 		c->entries = NULL;
 		c->count = 0;
 	}
+	e->parent = NULL;
+	exif_entry_unref (e);
 }
 
 ExifEntry *
-- 
2.7.4