avcodec/exif: check count in exif_decode_tag()

Fixes: out of array access Fixes: integer overflow Fixes: poc_heap_bof Found-by: *2ourc3 (Salim LARGO) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-11-23 21:54:53 +02:00 · 2025-09-18 02:25:32 +02:00
parent 88e04205b3
commit 647138334a
1 changed files with 1 additions and 1 deletions
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -477,7 +477,7 @@ static int exif_decode_tag(void *logctx, GetByteContext *gb, int le,
                                 "payload: %" PRIu32 "\n", entry->id, type, count, tell, payload);

    /* AV_TIFF_IFD is the largest, numerically */
-    if (type > AV_TIFF_IFD)
+    if (type > AV_TIFF_IFD || count >= INT_MAX/8U)
        return AVERROR_INVALIDDATA;

    is_ifd = type == AV_TIFF_IFD || ff_tis_ifd(entry->id) || entry->id == MAKERNOTE_TAG;