From 647138334abd6ea001a16a768eb12cc4156db5f9 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 18 Sep 2025 02:25:32 +0200
Subject: [PATCH] avcodec/exif: check count in exif_decode_tag()

Fixes: out of array access
Fixes: integer overflow
Fixes: poc_heap_bof

Found-by: *2ourc3 (Salim LARGO)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exif.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index a953252da0..e7aa9b8d8f 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -477,7 +477,7 @@ static int exif_decode_tag(void *logctx, GetByteContext *gb, int le,
                                  "payload: %" PRIu32 "\n", entry->id, type, count, tell, payload);
 
     /* AV_TIFF_IFD is the largest, numerically */
-    if (type > AV_TIFF_IFD)
+    if (type > AV_TIFF_IFD || count >= INT_MAX/8U)
         return AVERROR_INVALIDDATA;
 
     is_ifd = type == AV_TIFF_IFD || ff_tis_ifd(entry->id) || entry->id == MAKERNOTE_TAG;