The branch, master has been updated
via 647138334abd6ea001a16a768eb12cc4156db5f9 (commit)
via 88e04205b39ebc2fb6d5c78733e490aa5f5e69bb (commit)
via 742b0d4675a977c0cf67c306df95b4ef9aff7e36 (commit)
from c373636f554579340c7b1f46c42cc3a6989a7da6 (commit)
- Log -----------------------------------------------------------------
commit 647138334abd6ea001a16a768eb12cc4156db5f9
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 02:25:32 2025 +0200
Commit: Leo Izen <[email protected]>
CommitDate: Thu Sep 18 11:06:16 2025 +0000
avcodec/exif: check count in exif_decode_tag()
Fixes: out of array access
Fixes: integer overflow
Fixes: poc_heap_bof
Found-by: *2ourc3 (Salim LARGO)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index a953252da0..e7aa9b8d8f 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -477,7 +477,7 @@ static int exif_decode_tag(void *logctx, GetByteContext
*gb, int le,
"payload: %" PRIu32 "\n", entry->id, type,
count, tell, payload);
/* AV_TIFF_IFD is the largest, numerically */
- if (type > AV_TIFF_IFD)
+ if (type > AV_TIFF_IFD || count >= INT_MAX/8U)
return AVERROR_INVALIDDATA;
is_ifd = type == AV_TIFF_IFD || ff_tis_ifd(entry->id) || entry->id ==
MAKERNOTE_TAG;
commit 88e04205b39ebc2fb6d5c78733e490aa5f5e69bb
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Sep 13 13:53:53 2025 +0200
Commit: Leo Izen <[email protected]>
CommitDate: Thu Sep 18 11:06:16 2025 +0000
avcodec/exif: Do not leave uninitialized pointers on errors in
exif_clone_entry()
No testcase, but this looks like it could free garbage pointers
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index dbbd5acd1c..a953252da0 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -950,6 +950,8 @@ static int exif_clone_entry(AVExifEntry *dst, const
AVExifEntry *src)
{
int ret = 0;
+ memset(dst, 0, sizeof(*dst));
+
dst->count = src->count;
dst->id = src->id;
dst->type = src->type;
commit 742b0d4675a977c0cf67c306df95b4ef9aff7e36
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Sep 13 14:00:55 2025 +0200
Commit: Leo Izen <[email protected]>
CommitDate: Thu Sep 18 11:06:16 2025 +0000
avcodec/exif: Use av_fast_mallocz() in av_exif_clone_ifd()
using fast realloc leaves the entries uninitialized and frees garbage
pointers on
errors
Fixes: bug_triggering_file
Found-by: *2ourc3, 5pider
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index f9ad3e1bdb..dbbd5acd1c 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -1151,7 +1151,7 @@ AVExifMetadata *av_exif_clone_ifd(const AVExifMetadata
*ifd)
size_t required_size;
if (av_size_mult(ret->count, sizeof(*ret->entries), &required_size) <
0)
goto fail;
- ret->entries = av_fast_realloc(NULL, &ret->size, required_size);
+ av_fast_mallocz(&ret->entries, &ret->size, required_size);
if (!ret->entries)
goto fail;
}
-----------------------------------------------------------------------
Summary of changes:
libavcodec/exif.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
