From cd9b6f07ea43483368ada9b5c09a22ae4a00dda7 Mon Sep 17 00:00:00 2001
From: wangkerong <wangkerong@h-partners.com>
Date: Tue, 18 Oct 2022 09:11:58 +0000
Subject: [PATCH] fix fuzz test error

(cherry picked from commit 8908b88d3f15e985c4cf3795f12b0b78b13cf197)
---
 backport-fuzz-stack-overflow.patch            | 34 +++++++++++++++++
 backport-fuzz-timeout-and-out-of-memory.patch | 38 +++++++++++++++++++
 libexif.spec                                  |  7 +++-
 3 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 backport-fuzz-stack-overflow.patch
 create mode 100644 backport-fuzz-timeout-and-out-of-memory.patch

diff --git a/backport-fuzz-stack-overflow.patch b/backport-fuzz-stack-overflow.patch
new file mode 100644
index 0000000..0b470c5
--- /dev/null
+++ b/backport-fuzz-stack-overflow.patch
@@ -0,0 +1,34 @@
+From 49a74b371c322a1e55e242a230a7bb577ebe065b Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Mon, 6 Sep 2021 08:42:56 +0200
+Subject: [PATCH] replace tail recursion by direct loop, in case the compiler
+ does not translate it into a tail recursion it could be used to cause stack
+ overruns (oss-fuzz)
+
+---
+ libexif/exif-loader.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libexif/exif-loader.c b/libexif/exif-loader.c
+index e376465..5c48faf 100644
+--- a/libexif/exif-loader.c
++++ b/libexif/exif-loader.c
+@@ -154,6 +154,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
+ {
+ 	unsigned int i;
+ 
++begin:
+ 	if (!eld || (len && !buf)) 
+ 		return 0;
+ 
+@@ -310,7 +311,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
+ 	 * to read all data we need. Fill it with new data.
+ 	 */
+ 	eld->b_len = 0;
+-	return exif_loader_write (eld, buf, len);
++	goto begin;
+ }
+ 
+ ExifLoader *
+-- 
+2.27.0
diff --git a/backport-fuzz-timeout-and-out-of-memory.patch b/backport-fuzz-timeout-and-out-of-memory.patch
new file mode 100644
index 0000000..7c9d976
--- /dev/null
+++ b/backport-fuzz-timeout-and-out-of-memory.patch
@@ -0,0 +1,38 @@
+From e93be918878ab98ee45430858e96cb302ffee2bc Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Sat, 30 Jan 2021 14:06:08 +0100
+Subject: [PATCH] limit the amount of tags we allow in the makernote here.
+
+due to memory layout the max amount of 65536 tags could be used
+to exhaust lots of memory and time during parsing,
+as each tag can reuse the same memory range.
+
+(Memory usage DOS (2GB+) and compute dos (several minutes on fast machine, but not endless))
+
+This fixes OSS-FUZZ issue 27280.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27280
+---
+ libexif/olympus/exif-mnote-data-olympus.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
+index 45e4bc5..0c68d51 100644
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -419,6 +419,13 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
+ 	c = exif_get_short (buf + o2, n->order);
+ 	o2 += 2;
+ 
++	/* Just use an arbitrary max tag limit here to avoid needing to much memory or time. There are 150 named tags currently.
++	 * The format allows specifying the same range of memory as often as it can, so this multiplies quickly. */
++	if (c > 300) {
++		exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Too much tags (%d) in Olympus MakerNote", c);
++		return;
++	}
++
+ 	/* Remove any old entries */
+ 	exif_mnote_data_olympus_clear (n);
+ 
+-- 
+2.27.0
diff --git a/libexif.spec b/libexif.spec
index 13e10fa..601b094 100644
--- a/libexif.spec
+++ b/libexif.spec
@@ -1,7 +1,7 @@
 Name:           libexif
 Summary:        Library for extracting extra information from image files
 Version:        0.6.21
-Release:        24
+Release:        25
 License:        LGPLv2+
 URL:            https://libexif.github.io/
 Source0:        https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
@@ -21,6 +21,8 @@ Patch6010:      backport-CVE-2020-13112.patch
 Patch6011:      backport-CVE-2019-9278.patch
 Patch6012:      backport-CVE-2020-0181_CVE-2020-0198.patch
 Patch6013:      backport-CVE-2020-0093.patch
+Patch6014:	backport-fuzz-stack-overflow.patch
+Patch6015:	backport-fuzz-timeout-and-out-of-memory.patch
 
 BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig git
 
@@ -78,6 +80,9 @@ make check
 %doc libexif-api.html NEWS
 
 %changelog
+* Tue Oct 18 2022 wangkerong <wangkerong@h-partners.com> - 0.6.21-25
+- fix fuzz test error
+
 * Mon Oct 17 2022 wangkerong <wangkerong@h-partners.com> - 0.6.21-24
 - fix CVE-2019-9278,CVE-2020-0181,CVE-2020-0198,CVE-2020-0093