From 46db07a221d693d4a280e8b63a12496bfa5a7e4b Mon Sep 17 00:00:00 2001
From: Brad Hards <bradh@frogmouth.net>
Date: Fri, 1 Dec 2023 16:50:06 +1100
Subject: [PATCH] exif: protected against large offset values

Resolves #1042
---
 examples/encoder_png.cc | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/examples/encoder_png.cc b/examples/encoder_png.cc
index a24b0593ea..8b918f96e9 100644
--- a/examples/encoder_png.cc
+++ b/examples/encoder_png.cc
@@ -117,15 +117,16 @@ bool PngEncoder::Encode(const struct heif_image_handle* handle,
   if (exifdata) {
     if (exifsize > 4) {
       uint32_t skip = (exifdata[0]<<24) | (exifdata[1]<<16) | (exifdata[2]<<8) | exifdata[3];
-      skip += 4;
+      if (skip < (exifsize - 4)) {
+        skip += 4;
+        uint8_t* ptr = exifdata + skip;
+        size_t size = exifsize - skip;
 
-      uint8_t* ptr = exifdata + skip;
-      size_t size = exifsize - skip;
+        // libheif by default normalizes the image orientation, so that we have to set the EXIF Orientation to "Horizontal (normal)"
+        modify_exif_orientation_tag_if_it_exists(ptr, (int)size, 1);
 
-      // libheif by default normalizes the image orientation, so that we have to set the EXIF Orientation to "Horizontal (normal)"
-      modify_exif_orientation_tag_if_it_exists(ptr, (int)size, 1);
-
-      png_set_eXIf_1(png_ptr, info_ptr, (png_uint_32)size, ptr);
+        png_set_eXIf_1(png_ptr, info_ptr, (png_uint_32)size, ptr);
+      }
     }
 
     free(exifdata);