From: Joachim Reichel <reichel@debian.org>
Description: Fix CVE-2021-34055
Origin: https://github.com/Matthias-Wandel/jhead/commit/f0a884210cc46830b176f71fd61569adc8f230a7,
        https://github.com/Matthias-Wandel/jhead/commit/f517b319c96ad08319142dc6a3802246167893bf
Bug: https://github.com/Matthias-Wandel/jhead/issues/36
Bug-Debian: https://bugs.debian.org/1024272

Index: jhead-3.00/jhead.h
===================================================================
--- jhead-3.00.orig/jhead.h
+++ jhead-3.00/jhead.h
@@ -157,7 +157,7 @@ void FileTimeAsString(char * TimeStr);
 
 // Prototypes for exif.c functions.
 int Exif2tm(struct tm * timeptr, char * ExifTime);
-void process_EXIF (unsigned char * CharBuf, unsigned int length);
+int process_EXIF (unsigned char * CharBuf, unsigned int length);
 void ShowImageInfo(int ShowFileInfo);
 void ShowConciseImageInfo(void);
 const char * ClearOrientation(void);
Index: jhead-3.00/jpgfile.c
===================================================================
--- jhead-3.00.orig/jpgfile.c
+++ jhead-3.00/jpgfile.c
@@ -284,7 +284,10 @@ int ReadJpegSections (FILE * infile, Rea
                 // There can be different section using the same marker.
                 if (ReadMode & READ_METADATA){
                     if (memcmp(Data+2, "Exif", 4) == 0){
-                        process_EXIF(Data, itemlen);
+                        if (!process_EXIF(Data, itemlen)){
+                            // malformatted exif sections, discard.
+                            free(Sections[--SectionsRead].Data);
+                        }
                         break;
                     }else if (memcmp(Data+2, "http:", 5) == 0){
                         Sections[SectionsRead-1].Type = M_XMP; // Change tag for internal purposes.
Index: jhead-3.00/exif.c
===================================================================
--- jhead-3.00.orig/exif.c
+++ jhead-3.00/exif.c
@@ -932,7 +932,7 @@ static void ProcessExifDir(unsigned char
                         ErrNonfatal("Illegal subdirectory link in Exif header",0,0);
                     }
                 }else{
-                    if (SubdirStart <= OffsetBase+ExifLength){
+                    if (SubdirStart+2 <= OffsetBase+ExifLength){
                         if (ShowTags) printf("%s    Continued directory ",IndentString);
                         ProcessExifDir(SubdirStart, OffsetBase, ExifLength, NestingLevel+1);
                     }
@@ -978,7 +978,7 @@ static void ProcessExifDir(unsigned char
 // Process a EXIF marker
 // Describes all the drivel that most digital cameras include...
 //--------------------------------------------------------------------------
-void process_EXIF (unsigned char * ExifSection, unsigned int length)
+int process_EXIF (unsigned char * ExifSection, unsigned int length)
 {
     unsigned int FirstOffset;
 
@@ -995,7 +995,7 @@ void process_EXIF (unsigned char * ExifS
         static uchar ExifHeader[] = "Exif\0\0";
         if (memcmp(ExifSection+2, ExifHeader,6)){
             ErrNonfatal("Incorrect Exif header",0,0);
-            return;
+            return 0;
         }
     }
 
@@ -1008,21 +1008,21 @@ void process_EXIF (unsigned char * ExifS
             MotorolaOrder = 1;
         }else{
             ErrNonfatal("Invalid Exif alignment marker.",0,0);
-            return;
+            return 0;
         }
     }
 
     // Check the next value for correctness.
     if (Get16u(ExifSection+10) != 0x2a){
         ErrNonfatal("Invalid Exif start (1)",0,0);
-        return;
+        return 0;
     }
 
     FirstOffset = Get32u(ExifSection+12);
     if (FirstOffset < 8 || FirstOffset > 16){
         if (FirstOffset < 16 || length < 16 || FirstOffset > length-16){
             ErrNonfatal("invalid offset for first Exif IFD value",0,0);
-            return;
+            return 0;
         }
         // Usually set to 8, but other values valid too.
         ErrNonfatal("Suspicious offset of first Exif IFD value",0,0);
@@ -1061,6 +1061,7 @@ void process_EXIF (unsigned char * ExifS
             ImageInfo.FocalLength35mmEquiv = (int)(ImageInfo.FocalLength/ImageInfo.CCDWidth*36 + 0.5);
         }
     }
+	return 1;
 }
 
 
@@ -1209,6 +1210,7 @@ void create_EXIF(void)
 const char * ClearOrientation(void)
 {
     int a;
+
     if (NumOrientations == 0) return NULL;
 
     for (a=0;a<NumOrientations;a++){
