Description: Fix security issue CVE-2012-2813
Author: Dan Fandrich <dan@coneharvesters.com>
Origin: backport
Bug-Debian: http://bugs.debian.org/681454
Applied-Upstream: 0.6.21
Forwarded: not-needed
Last-Update: 2012-07-17
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
@@ -1345,10 +1345,23 @@
 	case EXIF_TAG_XP_AUTHOR:
 	case EXIF_TAG_XP_KEYWORDS:
 	case EXIF_TAG_XP_SUBJECT:
+	{
+		/* Sanity check the size to prevent overflow */
+		if (e->size+sizeof(unsigned short) < e->size) break;
+
+		/* The tag may not be U+0000-terminated , so make a local
+		   U+0000-terminated copy before converting it */
+		unsigned short *utf16 = exif_mem_alloc (e->priv->mem, e->size+sizeof(unsigned short));
+		if (!utf16) break;
+		memcpy(utf16, e->data, e->size);
+		utf16[e->size/sizeof(unsigned short)] = 0;
+
 		/* Warning! The texts are converted from UTF16 to UTF8 */
 		/* FIXME: use iconv to convert into the locale encoding */
-		exif_convert_utf16_to_utf8(val, (unsigned short*)e->data, MIN(maxlen, e->size));
+		exif_convert_utf16_to_utf8(val, utf16, maxlen);
+		exif_mem_free(e->priv->mem, utf16);
 		break;
+	}
 
 	default:
 		/* Use a generic value formatting */
