virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-11-23 21:54:53 +02:00
Code Issues Releases Activity

avcodec/exif: check count in exif_decode_tag()

Browse Source 
Fixes: out of array access
Fixes: integer overflow
Fixes: poc_heap_bof

Found-by: *2ourc3 (Salim LARGO)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2025-09-18 02:25:32 +02:00
committed by Leo Izen
parent 88e04205b3
commit 647138334a
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libavcodec/exif.c
View File

@@ -477,7 +477,7 @@ static int exif_decode_tag(void *logctx, GetByteContext *gb, int le,
"payload: %" PRIu32 "\n", entry->id, type, count, tell, payload); "payload: %" PRIu32 "\n", entry->id, type, count, tell, payload);
/* AV_TIFF_IFD is the largest, numerically */ /* AV_TIFF_IFD is the largest, numerically */
if (type > AV_TIFF_IFD) if (type > AV_TIFF_IFD || count >= INT_MAX/8U)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
is_ifd = type == AV_TIFF_IFD || ff_tis_ifd(entry->id) || entry->id == MAKERNOTE_TAG; is_ifd = type == AV_TIFF_IFD || ff_tis_ifd(entry->id) || entry->id == MAKERNOTE_TAG;