From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id E8F404BD81
	for <ffmpegdev@gitmailbox.com>; Wed, 27 Aug 2025 14:51:25 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b's/lA/lJi0UUE3+1TFpiiQgmOMMEcJ0TAI8isljJXUGc=', expected 
   b'jcy3r4qMZnLFT1GXdnABuRplti0c7MZguaj51vdgrvA=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1756306279; h=mime-version : to :
 message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=s/lA/lJi0UUE3+1TFpiiQgmOMMEcJ0TAI8isljJXUGc=;
 b=DnCMKY8R0sRYF8NmjP8oUAP7hAXfutQ0oq4bs6PfGK/6ZsLhl3i5YlJ3s/nNiDQCJpBaH
 POg33xXu99eC/oXxLuDogqfwJqjy/bzMA1ne58ogPV+xQ9FSl2L3V2oRffh9I9cGjlZyLqM
 tKXiDeYGeERy7RKAb+ZJSWY1LXFrfMa+upLBHafH1x2NT53mKQAiDRWrgqYktQDi78rS/73
 GOt78j0SUf4WRHEz5ZpgAtue8dkDcnE6yVPER14CrMk1oIDPgl2JsJd1FBXJVniyY9GYQTl
 ahXagefyuVt5Q2ABJXZQsnz8wmG7yEyNpCYkxzYeP5ATdroodXJcrbfpRZKg==
Received: from [172.18.0.4] (unknown [172.19.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 6278368E7B1;
	Wed, 27 Aug 2025 17:51:19 +0300 (EEST)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1756306267;
 b=mREjFj3si7WlLlWvT1WSorywZ6UJH3DCic1pHPa89GxUs0TW0UhOrLIqHXjjLMD+dkXuK
 GAg5xSXjmE3JL4FPCGknok2g8Z6GoAJnO6p7n2gm65Cu9sPH/J1FtDDu9WUfVrwjC1UwrSc
 q5a2yN8vNg8WcX2N86WNaiJCYtum2D4LMJ/CdmN4hLqC01yp8BXXXnB1m6dD0AKPyxtC5Rz
 9TOxn2wdiKPxpCglciSUkOrRzDo2Cwim/wFzDyNVA0Z4KeBp2qPn8UXl7PBhQNVG4pqvqDr
 3SAenbSJjON8shhpTqDfZaD2puUOJTJdVgShtYGUrkthbOt61WZRMU3ttlzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1756306267; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=dJGXVIniKLPxzqx97MrYU0pVphnS/pSO2Mqct/wPXzM=;
 b=iUmKNPZDIEzgj5F9K6SJVbromuWSD0Ei8ByZdIWAJzoi4Ag3AElfcig+5tZgVyDOUROpv
 vE/XDNkEGjbGsd/kbMt9VL7LcXoLKBb4mdgJCCVLXFHgoY/ekMirIbmR7RfL57ZWSYebG3K
 JSe/L0q9vss0AuWdC+tr7tw1QqsLAdNOQ2y8jqoNyYtFyrLVywRXaxamvr22U3MeVOdzaE+
 nT0O+jEdUuF1WdanI1viznem+z3CouI/RrLgEmqo3gW1mlk3UeV91Emj1nXC3v+W73ZrnRY
 G9/xq76vD5qyCvax8hpvW6ReFLuwQ6sOoNxljICAIigj9X73YUM7kJeNfc6Q==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=none
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed); dmarc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1756306258; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : from; bh=jcy3r4qMZnLFT1GXdnABuRplti0c7MZguaj51vdgrvA=;
 b=z0/iOlKyUiLx6u5teDsBZutJDiRA7dvEyWXBE5XxgiJ+J6sckAg2j/SjV8NwYyOWixAiG
 LAD7ZByoCpHu08jBiv580R40k+TE4KPdCNhFb3NRg9dfUboFYMakYbI8Bv2I4iHLT8poGY/
 prYzuRR7DyT70zVJSkN9mqQ0drGKLlIeZ83b9bb8J+Xd4oBIcbF1mBXlpE6n7CSEVTWFTCd
 Cyt8xhbe+S2p40obAklOFBMEJeXobTXkh7rFMbiJlNvuxu2LrW4UyxkMIiCONIF08ffnpjf
 CrJ59+lBxLBY79D0vz6pOAl3kSGyJKzGQE6M0JD/LuVDaFJhSeL7EuYoU8vA==
Received: from 5d8f51c41678 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 888D968E722
	for <ffmpeg-devel@ffmpeg.org>; Wed, 27 Aug 2025 17:50:58 +0300 (EEST)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Message-ID: <175630625872.34.11590893726063530688@5a0384606a8e>
Message-ID-Hash: YPXVL5ZI6PNHPHAREJMG3LZWJNHO4ISS
X-Message-ID-Hash: YPXVL5ZI6PNHPHAREJMG3LZWJNHO4ISS
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH] avcodec/exif: also copy zero termination for
 AV_TIFF_STRING (PR #20354)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/YPXVL5ZI6PNHPHAREJMG3LZWJNHO4ISS/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/175630625872.34.11590893726063530688@5a0384606a8e/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: michaelni <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/175630625872.34.11590893726063530688@5a0384606a8e/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #20354 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20354
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20354.patch

Fixes: out of array read
Fixes: 441131173/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_DEC_fuzzer-6700429212975104

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>


>>From a03941944dfd74d1869ee92d650fcaabe6c8092a Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 27 Aug 2025 15:00:56 +0200
Subject: [PATCH] avcodec/exif: also copy zero termination for AV_TIFF_STRING

Fixes: out of array read
Fixes: 441131173/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_DEC_fuzzer-6700429212975104

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exif.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index f7effa6dbd..2ac54e51af 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -993,7 +993,11 @@ static int exif_clone_entry(AVExifEntry *dst, const AVExifEntry *src)
             EXIF_COPY(dst->value.sbytes, src->value.sbytes);
             break;
         case AV_TIFF_STRING:
-            EXIF_COPY(dst->value.str, src->value.str);
+            dst->value.str = av_memdup(src->value.str, src->count+1);
+            if (!dst->value.str) {
+                ret = AVERROR(ENOMEM);
+                goto end;
+            }
             break;
     }
 
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org