$OpenBSD: patch-libexif_exif-data_c,v 1.1 2008/11/05 13:11:14 jasper Exp $

Fix for CVE-2007-6351: Integer overflow.

--- libexif/exif-data.c.orig	Wed Nov  5 14:04:58 2008
+++ libexif/exif-data.c	Wed Nov  5 14:05:25 2008
@@ -288,10 +288,10 @@ static void
 exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
 			       unsigned int ds, ExifLong offset, ExifLong size)
 {
-	if (ds < offset + size) {
+	if ((ds < offset + size) || (offset > ds)) {
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
-			  "Bogus thumbnail offset and size: %i < %i + %i.",
-			  (int) ds, (int) offset, (int) size);
+			  "Bogus thumbnail offset (%u) or size (%u).",
+			  offset, size);
 		return;
 	}
 	if (data->data) 
@@ -314,7 +314,7 @@ if ((i) == ifd) {				\
 }							\
 if (data->ifd[(i)]->count) {				\
 	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG,	\
-		"ExifData", "Attemt to load IFD "	\
+		"ExifData", "Attempt to load IFD "	\
 		"'%s' multiple times detected. "	\
 		"Skipping...",				\
 		exif_ifd_get_name (i));			\
