From 5ae5973bed1947f4d447dc80b76d5cefadd90133 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Sat, 16 May 2020 16:47:42 +0200
Subject: [PATCH] libexif: Fix read buffer overflow (CVE-2020-0093)

Make sure the number of bytes being copied from doesn't exceed the
source buffer size.

From Android repo:
https://android.googlesource.com/platform/external/libexif/+/0335ffc17f9b9a4831c242bb08ea92f605fde7a6%5E%21/#F0

Test: testPocBug_148705132
Bug: 148705132

fixes https://github.com/libexif/libexif/issues/42
---
 libexif/exif-data.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 6332cd1a..65ae93d5 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -308,7 +308,9 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
 	/* Write the data. Fill unneeded bytes with 0. Do not crash with
 	 * e->data is NULL */
 	if (e->data) {
-		memcpy (*d + 6 + doff, e->data, s);
+		unsigned int len = s;
+		if (e->size < s) len = e->size;
+		memcpy (*d + 6 + doff, e->data, len);
 	} else {
 		memset (*d + 6 + doff, 0, s);
 	}