PR #21714 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21714 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21714.patch
Fixes: Timeout Fixes: 471568865/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-4864048211755008 Fixes: 471951381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_DEC_fuzzer-5069855998148608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> >From b314a26e2ef3786550a082ef87c6ab51ea0a1209 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Tue, 10 Feb 2026 13:36:03 +0100 Subject: [PATCH] avcodec/exif: Check that the values read exist in the input Fixes: Timeout Fixes: 471568865/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-4864048211755008 Fixes: 471951381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_DEC_fuzzer-5069855998148608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/exif.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/exif.c b/libavcodec/exif.c index a184733e80..e422b28b8d 100644 --- a/libavcodec/exif.c +++ b/libavcodec/exif.c @@ -270,6 +270,9 @@ static inline void tput64(PutByteContext *pb, const int le, const uint64_t value static int exif_read_values(void *logctx, GetByteContext *gb, int le, AVExifEntry *entry) { + if (exif_sizes[entry->type] * entry->count > bytestream2_get_bytes_left(gb)) + return AVERROR_INVALIDDATA; + switch (entry->type) { case AV_TIFF_SHORT: case AV_TIFF_LONG: -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
