Hi,
I'd like to report a dead overflow check in decode_text_to_exif() in
libavcodec/pngdec.c.
## Bug
At line 561, the guard against an oversized exif_len is:
// first condition checks for overflow in 2 * exif_len
if ((exif_len & ~SIZE_MAX) || end - ptr < 2 * exif_len)
The comment indicates the intent was to guard against overflow in 2 *
exif_len, but since exif_len is declared as size_t, the expression
(exif_len & ~SIZE_MAX) is always 0 — ~SIZE_MAX has no bits set within
the range of size_t, making the first condition permanently false and
effectively dead code.
The second condition (end - ptr < 2 * exif_len) is also bypassable:
with exif_len = SIZE_MAX/2 + 1, the multiplication 2 * exif_len wraps
to 0, making the check evaluate to false. Both guards can be bypassed
simultaneously with a crafted input.
On 64-bit systems the subsequent av_buffer_alloc(exif_len - 6) fails
with ENOMEM, preventing exploitation. On 32-bit systems SIZE_MAX/2 ≈
2GB is potentially allocatable, making the subsequent heap OOB read
reachable (CWE-125).
## Fix
Replace the dead first condition with a meaningful size bound:
- if ((exif_len & ~SIZE_MAX) || end - ptr < 2 * exif_len)
+ if (exif_len > SIZE_MAX / 2 || end - ptr < 2 * exif_len)
Thanks,
Jenny (Guanni Qu)
_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]