From ccc61e70ee8f87868797be6451e2d32a4d1c1d79 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Thu, 7 May 2026 08:21:29 +0000
Subject: [PATCH] Fix integer underflow in MakerNote decoding (CVE-2026-40386)

Resolves: RHEL-170241
---
 fixed-2-unsigned-integer-underflows.patch | 41 +++++++++++++++++++++++
 libexif.spec                              | 10 +++++-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 fixed-2-unsigned-integer-underflows.patch

diff --git a/fixed-2-unsigned-integer-underflows.patch b/fixed-2-unsigned-integer-underflows.patch
new file mode 100644
index 0000000..4c21e61
--- /dev/null
+++ b/fixed-2-unsigned-integer-underflows.patch
@@ -0,0 +1,41 @@
+From dc6eac6e9655d14d0779d99e82d0f5f442d2f34b Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Thu, 2 Apr 2026 13:26:31 +0200
+Subject: [PATCH] fixed 2 unsigned integer underflows
+
+this could cause crashes or data leaks.
+
+Reported-by: Kerwin <kerwinxia66001@gmail.com>
+---
+ libexif/fuji/exif-mnote-data-fuji.c       | 2 +-
+ libexif/olympus/exif-mnote-data-olympus.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
+index c28c541..2dcb877 100644
+--- a/libexif/fuji/exif-mnote-data-fuji.c
++++ b/libexif/fuji/exif-mnote-data-fuji.c
+@@ -70,7 +70,7 @@ exif_mnote_data_fuji_get_value (ExifMnoteData *d, unsigned int i, char *val, uns
+ 	ExifMnoteDataFuji *n = (ExifMnoteDataFuji *) d;
+
+ 	if (!d || !val) return NULL;
+-	if (i > n->count -1) return NULL;
++	if (i >= n->count) return NULL;
+ /*
+ 	exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataFuji",
+ 		  "Querying value for tag '%s'...",
+diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
+index a57af17..428f365 100644
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -78,7 +78,7 @@ exif_mnote_data_olympus_get_value (ExifMnoteData *d, unsigned int i, char *val,
+ 	ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) d;
+
+ 	if (!d || !val) return NULL;
+-	if (i > n->count -1) return NULL;
++	if (i >= n->count) return NULL;
+ /*
+ 	exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
+ 		  "Querying value for tag '%s'...",
+--
+2.53.0
diff --git a/libexif.spec b/libexif.spec
index 064747d..fa44268 100644
--- a/libexif.spec
+++ b/libexif.spec
@@ -1,11 +1,15 @@
 Summary:	Library for extracting extra information from image files
 Name:		libexif
 Version:	0.6.24
-Release:	9%{?dist}
+Release:	10%{?dist}
 License:	LGPL-2.1-or-later
 URL:		https://libexif.github.io/
 Source0:	https://github.com/libexif/libexif/releases/download/v%{version}/libexif-%{version}.tar.bz2
 
+# CVE-2026-40386
+# https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b
+Patch:          fixed-2-unsigned-integer-underflows.patch
+
 BuildRequires:	autoconf
 BuildRequires:	automake
 BuildRequires:	doxygen
@@ -74,6 +78,10 @@ rm -rf %{buildroot}%{_datadir}/doc/libexif
 
 
 %changelog
+* Thu May 07 2026 Jan Grulich <jgrulich@redhat.com> - 0.6.24-10
+- Fix integer underflow in MakerNote decoding (CVE-2026-40386)
+  Resolves: RHEL-170241
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.6.24-9
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018