From 1998e2c6d2c7bb16850e0c7871dc83f12a96d936 Mon Sep 17 00:00:00 2001
From: heckflosse <heckflosse67@gmx.de>
Date: Mon, 9 Jan 2017 15:34:18 +0100
Subject: [PATCH] Crash when opening JPEG file with corrupted metadata, fixes
 #3602

---
 rtexif/stdattribs.cc | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/rtexif/stdattribs.cc b/rtexif/stdattribs.cc
index 2bd7a60f7..38e7f4b25 100644
--- a/rtexif/stdattribs.cc
+++ b/rtexif/stdattribs.cc
@@ -445,11 +445,16 @@ public:
     UserCommentInterpreter () {}
     virtual std::string toString (Tag* t)
     {
-        char *buffer = new char[t->getCount()];
+        int count = t->getCount();
+        if(count <= 8) {
+            return "";
+        }
 
-        if (!strncmp((char*)t->getValue(), "ASCII\0\0\0", 8)) {
-            strncpy (buffer, (char*)t->getValue() + 8, t->getCount() - 8);
-            buffer[t->getCount() - 8] = '\0';
+        char *buffer = new char[count - 7];
+
+        if (!strncmp((char*)t->getValue(), "ASCII\0\0\0", 8)) { // TODO: this compares only up to the first \0, remaining \0\0 are ignored
+            strncpy (buffer, (char*)t->getValue() + 8, count - 8);
+            buffer[count - 8] = '\0';
         } else {
             buffer[0] = 0;
         }