Add a failsafe on the maximum number of Canon MakerNote subtags.
A malicious file could be crafted to cause extremely large values in some
tags without tripping any buffer range checks. This is bad with the libexif
representation of Canon MakerNotes because some arrays are turned into
individual tags that the application must loop around.
The largest value I've seen for failsafe_size in a (very small) sample of valid
Canon files is <5000. The limit is set two orders of magnitude larger to avoid
tripping up falsely in case some models use much larger values.
Patch from Google.
CVE-2020-13114