From 4dca3ddb127b1031dca9a925188100de887de371 Mon Sep 17 00:00:00 2001
From: Brad Hards <bradh@frogmouth.net>
Date: Tue, 19 Dec 2023 10:18:47 +1100
Subject: [PATCH] exif: protect against EXIF data overflow

Relates #1042
---
 examples/encoder_jpeg.cc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/examples/encoder_jpeg.cc b/examples/encoder_jpeg.cc
index f83b02a9d0..6a8bae163a 100644
--- a/examples/encoder_jpeg.cc
+++ b/examples/encoder_jpeg.cc
@@ -177,12 +177,11 @@ bool JpegEncoder::Encode(const struct heif_image_handle* handle,
       static const uint8_t kExifMarker = JPEG_APP0 + 1;
 
       uint32_t skip = (exifdata[0]<<24) | (exifdata[1]<<16) | (exifdata[2]<<8) | exifdata[3];
-      skip += 4;
-
-      if (skip > exifsize) {
+      if (skip > (exifsize - 4)) {
         fprintf(stderr, "Invalid EXIF data (offset too large)\n");
         return false;
       }
+      skip += 4;
 
       uint8_t* ptr = exifdata + skip;
       size_t size = exifsize - skip;