--- /dev/null
+From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 16 May 2020 19:32:30 +0200
+Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote
+
+ subtags.
+
+A malicious file could be crafted to cause extremely large values in some
+tags without tripping any buffer range checks. This is bad with the libexif
+representation of Canon MakerNotes because some arrays are turned into
+individual tags that the application must loop around.
+
+The largest value I've seen for failsafe_size in a (very small) sample of valid
+Canon files is <5000. The limit is set two orders of magnitude larger to avoid
+tripping up falsely in case some models use much larger values.
+
+Patch from Google.
+
+CVE-2020-13114
+
+Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab]
+CVE: CVE-2020-13114
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
+index eb53598..72fd7a3 100644
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -32,6 +32,9 @@
+
+ #define DEBUG
+
++/* Total size limit to prevent abuse by DoS */
++#define FAILSAFE_SIZE_MAX 1000000L
++
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
+ ExifShort c;
+ size_t i, tcount, o, datao;
++ long failsafe_size = 0;
+
+ if (!n || !buf || !buf_size) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ memcpy (n->entries[tcount].data, buf + dataofs, s);
+ }
+
++ /* Track the size of decoded tag data. A malicious file could
++ * be crafted to cause extremely large values here without
++ * tripping any buffer range checks. This is especially bad
++ * with the libexif representation of Canon MakerNotes because
++ * some arrays are turned into individual tags that the
++ * application must loop around. */
++ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
++
++ if (failsafe_size > FAILSAFE_SIZE_MAX) {
++ /* Abort if the total size of the data in the tags extraordinarily large, */
++ exif_mem_free (ne->mem, n->entries[tcount].data);
++ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
++ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
++ failsafe_size, FAILSAFE_SIZE_MAX);
++ break;
++ }
++
+ /* Tag was successfully parsed */
+ ++tcount;
+ }
