From cdf1e32cb71c22c3df5d806d74384b3189008a47 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Sun, 17 May 2020 10:20:15 +0200
Subject: [PATCH] handle illegal offsets earlier

Bail out if an offset runs over the datasize.

fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20065&q=libexif&can=2
---
 libexif/exif-data.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 65ae93d..8b280d3 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -448,6 +448,11 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
 		case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
 			o = exif_get_long (d + offset + 12 * i + 8,
 					   data->priv->order);
+			if (o >= ds) {
+				exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+					  "Tag data past end of buffer (%u > %u)", offset+2, ds);
+				return;
+			}
 			/* FIXME: IFD_POINTER tags aren't marked as being in a
 			 * specific IFD, so exif_tag_get_name_in_ifd won't work
 			 */
-- 
2.7.4