From 5444fcea3365f2711ca4798ed3b6df4dd6ac398a Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Sun, 28 Nov 2021 14:34:35 +0000
Subject: [PATCH 1/2] Regression test for
 https://github.com/Exiv2/exiv2/issues/2006

---
 test/data/issue_2006_poc.tiff            | Bin 0 -> 144 bytes
 tests/bugfixes/github/test_issue_2006.py |  21 +++++++++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 test/data/issue_2006_poc.tiff
 create mode 100644 tests/bugfixes/github/test_issue_2006.py

diff --git a/test/data/issue_2006_poc.tiff b/test/data/issue_2006_poc.tiff
new file mode 100644
index 0000000000000000000000000000000000000000..8030b512d1147834c1f120992b9d0748cc74adbf
GIT binary patch
literal 144
zcmebEWzb?^VBl2%0R}J$BN+J^n1E6WKy0A!A1WG<n3q_bpO={o<TEHhh5!Hmukio>
fF%zH=Og+pHRGOiWffJ~N1&A9UG7StclOcQnHxn7n

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_2006.py b/tests/bugfixes/github/test_issue_2006.py
new file mode 100644
index 00000000..3a67e86c
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_2006.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+class PanasonicMakerPrintAccelerometerIntOverflow(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/2006
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/2006"
+
+    filename = path("$data_path/issue_2006_poc.tiff")
+    commands = ["$exiv2 -q -PE $filename"]
+    stderr = [""]
+    stdout = ["""Exif.Image.Make                              Ascii      32  Panasonic   
+Exif.Image.DNGPrivateData                    0x2020     32  80 97 110 97 115 111 110 105 99 32 32 32 0 32 32 255 32 32 32 32 32 255 255 255 32 255 255 198 52 32 32 0
+Exif.MakerNote.Offset                        Long        1  48
+Exif.MakerNote.ByteOrder                     Ascii       3  MM
+Exif.Panasonic.AccelerometerY                SLong       4  2147483425
+"""]
+    retval = [0]

From 35f48ae5c934d20e8866c8f6ef479588ddd78012 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Sun, 28 Nov 2021 14:41:22 +0000
Subject: [PATCH 2/2] Credit to OSS-Fuzz:
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41438 Replace weird
 sign-conversion code with a simple static_cast.

---
 src/panasonicmn_int.cpp                  | 16 ++++++----------
 tests/bugfixes/github/test_issue_2006.py |  2 +-
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/src/panasonicmn_int.cpp b/src/panasonicmn_int.cpp
index 617c5d20..a95fa10b 100644
--- a/src/panasonicmn_int.cpp
+++ b/src/panasonicmn_int.cpp
@@ -691,17 +691,15 @@ namespace Exiv2 {
 
     std::ostream& PanasonicMakerNote::printAccelerometer(std::ostream& os, const Value& value, const ExifData*)
     {
-        // value is stored as unsigned int, but should be readed as signed int, so manually convert it
-        int i = value.toLong();
-        i = i - ((i & 0x8000) >> 15) * 0xffff;
+        // value is stored as unsigned int, but should be read as int16_t.
+        const int16_t i = static_cast<int16_t>(value.toLong());
         return os << i;
     }  // PanasonicMakerNote::printAccelerometer
 
     std::ostream& PanasonicMakerNote::printRollAngle(std::ostream& os, const Value& value, const ExifData*)
     {
-        // roll angle is stored as signed int, but tag states to be unsigned int
-        int i = value.toLong();
-        i = i - ((i & 0x8000) >> 15) * 0xffff;
+        // value is stored as unsigned int, but should be read as int16_t.
+        const int16_t i = static_cast<int16_t>(value.toLong());
         std::ostringstream oss;
         oss.copyfmt(os);
         os << std::fixed << std::setprecision(1) << i / 10.0;
@@ -712,10 +710,8 @@ namespace Exiv2 {
 
     std::ostream& PanasonicMakerNote::printPitchAngle(std::ostream& os, const Value& value, const ExifData*)
     {
-        // pitch angle is stored as signed int, but tag states to be unsigned int
-        // change sign to be compatible with ExifTool: positive is upwards
-        int i = value.toLong();
-        i = i - ((i & 0x8000) >> 15) * 0xffff;
+        // value is stored as unsigned int, but should be read as int16_t.
+        const int16_t i = static_cast<int16_t>(value.toLong());
         std::ostringstream oss;
         oss.copyfmt(os);
         os << std::fixed << std::setprecision(1) << -i / 10.0;
diff --git a/tests/bugfixes/github/test_issue_2006.py b/tests/bugfixes/github/test_issue_2006.py
index 3a67e86c..46b00bd5 100644
--- a/tests/bugfixes/github/test_issue_2006.py
+++ b/tests/bugfixes/github/test_issue_2006.py
@@ -16,6 +16,6 @@ class PanasonicMakerPrintAccelerometerIntOverflow(metaclass=CaseMeta):
 Exif.Image.DNGPrivateData                    0x2020     32  80 97 110 97 115 111 110 105 99 32 32 32 0 32 32 255 32 32 32 32 32 255 255 255 32 255 255 198 52 32 32 0
 Exif.MakerNote.Offset                        Long        1  48
 Exif.MakerNote.ByteOrder                     Ascii       3  MM
-Exif.Panasonic.AccelerometerY                SLong       4  2147483425
+Exif.Panasonic.AccelerometerY                SLong       4  -224
 """]
     retval = [0]