From ca8b64a0007cb8e895e45301ed361624fac0b017 Mon Sep 17 00:00:00 2001
From: Brad Hards <bradh@frogmouth.net>
Date: Fri, 1 Dec 2023 16:50:06 +1100
Subject: [PATCH] exif: protected against large offset values

Resolves #1042
---
 examples/encoder_png.cc | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/examples/encoder_png.cc b/examples/encoder_png.cc
index a24b0593ea0..30214207dde 100644
--- a/examples/encoder_png.cc
+++ b/examples/encoder_png.cc
@@ -118,14 +118,15 @@ bool PngEncoder::Encode(const struct heif_image_handle* handle,
     if (exifsize > 4) {
       uint32_t skip = (exifdata[0]<<24) | (exifdata[1]<<16) | (exifdata[2]<<8) | exifdata[3];
       skip += 4;
+      if (skip < exifsize) {
+        uint8_t* ptr = exifdata + skip;
+        size_t size = exifsize - skip;
 
-      uint8_t* ptr = exifdata + skip;
-      size_t size = exifsize - skip;
+        // libheif by default normalizes the image orientation, so that we have to set the EXIF Orientation to "Horizontal (normal)"
+        modify_exif_orientation_tag_if_it_exists(ptr, (int)size, 1);
 
-      // libheif by default normalizes the image orientation, so that we have to set the EXIF Orientation to "Horizontal (normal)"
-      modify_exif_orientation_tag_if_it_exists(ptr, (int)size, 1);
-
-      png_set_eXIf_1(png_ptr, info_ptr, (png_uint_32)size, ptr);
+        png_set_eXIf_1(png_ptr, info_ptr, (png_uint_32)size, ptr);
+      }
     }
 
     free(exifdata);