CVE-2021-3496

An attacker supplies a specially crafted JPEG file containing malformed EXIF metadata. When jhead (version 3.06) parses the file, the `ProcessCanonMakerNoteDir` function calls `Get16u()` with an offset that reads beyond the allocated heap buffer [ref_id=1]. The ASan report shows the read occurs 9 bytes to the right of a 1164-byte region allocated in `ReadJpegSections` at `jpgfile.c:175` [ref_id=1]. No authentication or special network access is required — the attacker only needs to deliver the crafted file to a victim who processes it with jhead.

The vulnerability resides in `Get16u()` in `exif.c` and is triggered through the call chain `ProcessCanonMakerNoteDir` in `makernote.c:128:27` → `ProcessMakerNote` → `ProcessExifDir` → `process_EXIF` → `ReadJpegSections` [ref_id=1]. The ASan trace shows a heap-buffer-overflow READ of size 1 at `Get16u` when processing a crafted JPEG file [ref_id=1].

The bundle does not contain a patch. The advisory [ref_id=1] reports the heap-buffer-overflow in jhead 3.06 (commit 871e319) but provides no fix or remediation guidance. Based on the nature of the bug, a proper fix would require adding bounds checking in `Get16u()` (or its callers) to verify that the read offset does not exceed the allocated buffer size before dereferencing the pointer.