From f9bb9f263fb00f0603ecbefa8957cad24168cbff Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Wed, 4 Jul 2018 11:06:09 +0200
Subject: [PATCH] Fix a buffer read overflow in exif_entry_get_value

While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past
the end of a heap buffer. This was detected by the OSS Fuzz project.
Patch from Google.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543
---
 libexif/exif-entry.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
index 61260d3c..a224ac2e 100644
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
@@ -1040,12 +1040,12 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
 		d = 0.;
 		entry = exif_content_get_entry (
 			e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);
-		if (entry && entry->data &&
+		if (entry && entry->data && entry->size >= 7 &&
 		    !strncmp ((char *)entry->data, "Minolta", 7)) {
 			entry = exif_content_get_entry (
 					e->parent->parent->ifd[EXIF_IFD_0],
 					EXIF_TAG_MODEL);
-			if (entry && entry->data) {
+			if (entry && entry->data && entry->size >= 8) {
 				if (!strncmp ((char *)entry->data, "DiMAGE 7", 8))
 					d = 3.9;
 				else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8))