PR #21255 opened by ruikai
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21255
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21255.patch
Extra IFDs are stored as pseudo-tags 0xFFFC..0xFFED in the
top-level IFD. The size calculation skips the 12-byte directory
entry for those tags, but the extraction loop breaks on the
first missing tag. If 0xFFFC is absent and 0xFFFB remains,
av_exif_write allocates too small a buffer and exif_write_ifd
will still emit the entry, causing an OOB write when it pads
inline payloads (AV_WN32 on the last 4 bytes).
Always account for the base tag size so the allocation stays
conservative even when extra tags remain.
Repro (ASan):
./configure --toolchain=clang-asan --enable-debug \
--disable-optimizations
make -j"$(nproc)"
# PNG with EXIF IFD0 entries {0xFFFB, 0x0100, 0x0112}
ASAN_OPTIONS=halt_on_error=1:detect_leaks=0 ./ffmpeg_g \
-loglevel error -nostdin -i poc-exif-orient2.png -f null -
this triggers heap-buffer-overflow write in exif.c:731
(exif_write_ifd).
reference: https://gist.github.com/retr0reg/bc5f5dd9e2afedb09853913f1d1ee246
Regression: 784aa09fa8
Found-by: Ruikai Peng, Pwno
>From 7ea0d12bc09cbda9d978cd3cc298182fb9c54962 Mon Sep 17 00:00:00 2001
From: Ruikai Peng <[email protected]>
Date: Sun, 21 Dec 2025 14:49:56 -0500
Subject: [PATCH] avcodec/exif: keep IFD base size in buffer sizing
Extra IFDs are stored as pseudo-tags 0xFFFC..0xFFED in the
top-level IFD. The size calculation skips the 12-byte directory
entry for those tags, but the extraction loop breaks on the
first missing tag. If 0xFFFC is absent and 0xFFFB remains,
av_exif_write allocates too small a buffer and exif_write_ifd
will still emit the entry, causing an OOB write when it pads
inline payloads (AV_WN32 on the last 4 bytes).
Always account for the base tag size so the allocation stays
conservative even when extra tags remain.
Repro (ASan):
./configure --toolchain=clang-asan --enable-debug \
--disable-optimizations
make -j"$(nproc)"
# PNG with EXIF IFD0 entries {0xFFFB, 0x0100, 0x0112}
ASAN_OPTIONS=halt_on_error=1:detect_leaks=0 ./ffmpeg_g \
-loglevel error -nostdin -i poc-exif-orient2.png -f null -
this triggers heap-buffer-overflow write in exif.c:731
(exif_write_ifd).
reference: https://gist.github.com/retr0reg/bc5f5dd9e2afedb09853913f1d1ee246
Regression: 784aa09fa8
Found-by: Ruikai Peng, Pwno
---
libavcodec/exif.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index 0de543e35a..c7399e94b2 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -673,9 +673,7 @@ static size_t exif_get_ifd_size(const AVExifMetadata *ifd)
for (size_t i = 0; i < ifd->count; i++) {
const AVExifEntry *entry = &ifd->entries[i];
if (entry->type == AV_TIFF_IFD) {
- /* this is an extra IFD, not an entry, so we don't need to add
base tag size */
- size_t base_size = entry->id > 0xFFECu && entry->id <= 0xFFFCu ? 0
: BASE_TAG_SIZE;
- total_size += base_size + exif_get_ifd_size(&entry->value.ifd) +
entry->ifd_offset;
+ total_size += BASE_TAG_SIZE + exif_get_ifd_size(&entry->value.ifd)
+ entry->ifd_offset;
} else {
size_t payload_size = entry->count * exif_sizes[entry->type];
total_size += BASE_TAG_SIZE + (payload_size > 4 ? payload_size :
0);
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
