libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_mnote_data_get_value function gets passed in a 0 size, the passed in-buffer would be overwritten due to an integer underflow.
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libexif | Libexif_project | * | 0.6.25 (including) |
| Libexif | Ubuntu | esm-infra-legacy/trusty | * |
| Libexif | Ubuntu | esm-infra-legacy/xenial | * |
| Libexif | Ubuntu | esm-infra/bionic | * |
| Libexif | Ubuntu | esm-infra/focal | * |
| Libexif | Ubuntu | esm-infra/xenial | * |
| Libexif | Ubuntu | jammy | * |
| Libexif | Ubuntu | noble | * |
| Libexif | Ubuntu | questing | * |
| Libexif | Ubuntu | resolute | * |
| Libexif | Ubuntu | upstream | * |