From 53e31eeede51bba866b6224bb4ac030693e744a8 Mon Sep 17 00:00:00 2001
From: Jaeun Choi <jaeun12.choi@samsung.com>
Date: Thu, 6 Apr 2017 15:34:53 +0900
Subject: [PATCH] emile_image: add error handling code for ifd_offset value

Signed-off-by: JEONGHYUN YUN <jh0506.yun@samsung.com>
---
 src/lib/emile/emile_image.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/lib/emile/emile_image.c b/src/lib/emile/emile_image.c
index b342e3e8be..309dbbb999 100644
--- a/src/lib/emile/emile_image.c
+++ b/src/lib/emile/emile_image.c
@@ -933,6 +933,10 @@ _get_orientation_app1(const unsigned char *map,
      {
         // get 4byte by little endian
         ifd_offset += (*(buf + 14) << 24) + (*(buf + 15) << 16) + (*(buf + 16) << 8) + (*(buf + 17));
+
+        if (ifd_offset > fsize)
+          return EINA_FALSE;
+
         byte_align = EXIF_BYTE_ALIGN_MM;
         num_directory = ((*(buf + ifd_offset) << 8) + *(buf + ifd_offset + 1));
         orientation[0] = 0x01;
@@ -942,6 +946,10 @@ _get_orientation_app1(const unsigned char *map,
      {
         // get 4byte by big endian
         ifd_offset += (*(buf + 14))  + (*(buf + 15) << 8) + (*(buf + 16) << 16) + (*(buf + 17) << 24);
+
+        if (ifd_offset > fsize)
+          return EINA_FALSE;
+
         byte_align = EXIF_BYTE_ALIGN_II;
         num_directory = ((*(buf + ifd_offset + 1) << 8) + *(buf + ifd_offset));
         orientation[0] = 0x12;