Fetch libexif 0.6.21 to include the security fixes.

libexif/sources/libexif/exif-entry.c

Index: libexif/sources/libexif/exif-entry.c
===================================================================
--- libexif/sources/libexif/exif-entry.c	(revision 143189)
+++ libexif/sources/libexif/exif-entry.c	(working copy)
@@ -1351,11 +1351,24 @@
 	case EXIF_TAG_XP_AUTHOR:
 	case EXIF_TAG_XP_KEYWORDS:
 	case EXIF_TAG_XP_SUBJECT:
-		/* Warning! The texts are converted from UTF16 to UTF8 */
-		/* FIXME: use iconv to convert into the locale encoding */
-		exif_convert_utf16_to_utf8(val, (unsigned short*)e->data, MIN(maxlen, e->size));
-		break;
+        {
+                /* Sanity check the size to prevent overflow */
+                if (e->size+sizeof(unsigned short) < e->size) break;
+                
+                /* The tag may not be U+0000-terminated , so make a local
+                U+0000-terminated copy before converting it */
+                unsigned short *utf16 = exif_mem_alloc (e->priv->mem, e->size+sizeof(unsigned short));
+                if (!utf16) break;
+                memcpy(utf16, e->data, e->size);
+                utf16[e->size/sizeof(unsigned short)] = 0;
 
+                /* Warning! The texts are converted from UTF16 to UTF8 */
+                /* FIXME: use iconv to convert into the locale encoding */
+                exif_convert_utf16_to_utf8(val, utf16, maxlen);
+                exif_mem_free(e->priv->mem, utf16);
+                break;
+       }
+
 	default:
 		/* Use a generic value formatting */
 		exif_entry_format_value(e, val, maxlen);