Description: Fix security issue CVE-2012-2841
Author: Dan Fandrich <dan@coneharvesters.com>
Origin: backport
Bug-Debian: http://bugs.debian.org/681454
Applied-Upstream: 0.6.21
Forwarded: not-needed
Last-Update: 2012-07-17
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
@@ -861,14 +861,15 @@
 	 */
 	bindtextdomain (GETTEXT_PACKAGE, LOCALEDIR);
 
+	if (!e || !e->parent || !e->parent->parent || !maxlen)
+		return val;
+
 	/* make sure the returned string is zero terminated */
 	memset (val, 0, maxlen);
 	maxlen--;
 	memset (b, 0, sizeof (b));
 
 	/* We need the byte order */
-	if (!e || !e->parent || !e->parent->parent)
-		return val;
 	o = exif_data_get_byte_order (e->parent->parent);
 
 	/* Sanity check */
@@ -926,17 +927,16 @@
 
 		/*
 		 * If we reach this point, the tag does not
-		 * comply with the standard and seems to contain data.
+ 		 * comply with the standard but seems to contain data.
 		 * Print as much as possible.
 		 */
 		exif_entry_log (e, EXIF_LOG_CODE_DEBUG,
-			_("Tag UserComment does not comply "
-			"with standard but contains data."));
-		for (; (i < e->size)  && (strlen (val) < maxlen - 1); i++) {
+			_("Tag UserComment contains data but is "
+			  "against specification."));
+ 		for (j = 0; (i < e->size) && (j < maxlen); i++, j++) {
 			exif_entry_log (e, EXIF_LOG_CODE_DEBUG,
 				_("Byte at position %i: 0x%02x"), i, e->data[i]);
-			val[strlen (val)] =
-				isprint (e->data[i]) ? e->data[i] : '.';
+ 			val[j] = isprint (e->data[i]) ? e->data[i] : '.';
 		}
 		break;
 
