--- libexif-0.6.13/libexif/exif-data.c.cve-2007-4168	2005-08-22 16:32:02.000000000 -0400
+++ libexif-0.6.13/libexif/exif-data.c	2007-06-13 15:12:22.000000000 -0400
@@ -155,7 +155,7 @@ exif_data_new_from_data (const unsigned 
 	return (edata);
 }
 
-static void
+static int
 exif_data_load_data_entry (ExifData *data, ExifEntry *entry,
 			   const unsigned char *d,
 			   unsigned int size, unsigned int offset)
@@ -174,9 +174,15 @@ exif_data_load_data_entry (ExifData *dat
 	 * Size? If bigger than 4 bytes, the actual data is not
 	 * in the entry but somewhere else (offset).
 	 */
-	s = exif_format_get_size (entry->format) * entry->components;
-	if (!s)
-		return;
+        /* {0,1,2,4,8} x { 0x00000000 .. 0xffffffff }
+         *   -> { 0x000000000 .. 0x7fffffff8 } */
+        s = exif_format_get_size(entry->format) * entry->components;
+        if (s < entry->components) {
+                return 0;
+        }
+        if (0 == s)
+                return 0;
+
 	if (s > 4)
 		doff = exif_get_long (d + offset + 8, data->priv->order);
 	else
@@ -184,7 +190,7 @@ exif_data_load_data_entry (ExifData *dat
 
 	/* Sanity check */
 	if (size < doff + s)
-		return;
+		return 0;
 
 	entry->data = exif_data_alloc (data, s);
 	if (entry->data) {
@@ -203,6 +209,8 @@ exif_data_load_data_entry (ExifData *dat
 					       entry->data[6]);
 		data->priv->offset_mnote = doff;
 	}
+
+	return 1;
 }
 
 static void
@@ -413,9 +421,9 @@ exif_data_load_data_content (ExifData *d
 					break;
 			}
 			entry = exif_entry_new_mem (data->priv->mem);
-			exif_data_load_data_entry (data, entry, d, ds,
-						   offset + 12 * i);
-			exif_content_add_entry (data->ifd[ifd], entry);
+			if (exif_data_load_data_entry (data, entry, d, ds,
+						       offset + 12 * i))
+				exif_content_add_entry (data->ifd[ifd], entry);
 			exif_entry_unref (entry);
 			break;
 		}