File CVE-2021-34334.patch of Package exiv2.26596

From 97c4880882d87aee77809b4b6e8fb4a5558e4ca2 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Tue, 6 Jul 2021 18:15:40 +0100
Subject: [PATCH] Extra checking to prevent the loop counter from wrapping
 around.

Index: exiv2-0.26/src/crwimage.cpp
===================================================================
--- exiv2-0.26.orig/src/crwimage.cpp
+++ exiv2-0.26/src/crwimage.cpp
@@ -35,6 +35,7 @@ EXIV2_RCSID("@(#) $Id$")
 #include "crwimage.hpp"
 #include "crwimage_int.hpp"
 #include "error.hpp"
+#include "enforce.hpp"
 #include "futils.hpp"
 #include "value.hpp"
 #include "tags.hpp"
@@ -1015,12 +1016,16 @@ namespace Exiv2 {
         assert(ifdId != ifdIdNotSet);
 
         std::string groupName(Internal::groupName(ifdId));
+        const uint32_t component_size = ciffComponent.size();
+        enforce(component_size % 2 == 0, kerCorruptedMetadata);
+        enforce(component_size/2 <= static_cast<uint32_t>(std::numeric_limits<uint16_t>::max()), kerCorruptedMetadata);
+        const uint16_t num_components = static_cast<uint16_t>(component_size/2);
         uint16_t c = 1;
-        while (uint32_t(c)*2 < ciffComponent.size()) {
+        while (c < num_components) {
             uint16_t n = 1;
             ExifKey key(c, groupName);
             UShortValue value;
-            if (ifdId == canonCsId && c == 23 && ciffComponent.size() > 50) n = 3;
+            if (ifdId == canonCsId && c == 23 && component_size >= 52) n = 3;
             value.read(ciffComponent.pData() + c*2, n*2, byteOrder);
             image.exifData().add(key, &value);
             if (ifdId == canonSiId && c == 21) aperture = value.toLong();