From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id B45264580C for ; Sat, 13 Sep 2025 12:25:20 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'h6N7JMKJ2nJQbW4Dl8kN4s9yPNEGYjsfEvw4zaqwiUU=', expected b'3FQgxK49isJfV+xs5QbZGV3c6yF/PfXjQ36yxrX/KT0=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1757766313; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=h6N7JMKJ2nJQbW4Dl8kN4s9yPNEGYjsfEvw4zaqwiUU=; b=T9IJY4OmcW0b0eU2hwlMBAokyrG0cWlcV0qGd/45sSUFXg+EsaJempKVUUR2SKVrhY5ui IgJf5wOx1J1mSvaQW+PdisL6hez48mTO9DshTY/ypDvcfSlWlGVD78CWCP+JuJTR/fb62iP J4lOtUcaGcFbQaquZ2nE+tabKc+VV9Y5/vpg25uWEWsp/nXAa51uBcvesXD11bKXK5Z1jkw FwfIZ/W9ISMkMZkWQx7TDycMGQf91IpP15QMbDLABb/H0YtID5rYkBXuzkLHvITDYN2nV3+ OJsli5cywrAXq6ssoHA3v03/edoMGejDKtzoOqKKT+8tKOFp7NqebEA36GqA== Received: from [172.19.0.4] (unknown [172.19.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 1C1B968E7F0; Sat, 13 Sep 2025 15:25:13 +0300 (EEST) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1757766311; b=SgOGwbjBUpSjHYgkwZDnWHBzdZwRwx7u/OCu2HUqNk5zC5ZC4JkijSwcprwn6Izqi0Y4K JrHTu3ZAeYCod3Y6idcIX2f/wT2m36eWeC9mn4meqllYFnFHrVXfVkht6d4cogiLBp46nBC aAKy0h/FHhTmB+mlRz0BsD5GI+nHO61WKmrrY6CdIg8I8oF5IpUSlHVDPs4F4h5Ucy961lb QDbADIQsZgKBElwZTHu53j4aPNDhX4bNylNkg/Dtqa87vC08+wjcp0hE42Xi8ZuLdeL9vIQ hmlhPli2BqBNJXv3CNNF9vC6zkPM/xkCfovxw4KhmpRyuBJzZs8DGpY/K1sA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1757766311; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=OK5mXtdQLVwbv8I2mkivoaZqeet1EfD+qxEuq8xTmnc=; b=GLuxGPgWbRgA1wgPpUSfnQY+jIUOwAZLeSHlpap80l+qZdQrNDoXLUe37tUo2odOhgLHI DvSi2REiq0O27iFNsah0mHupKuW8BVqpwxUom466qx6PadBjjWK8H5dm1OuRuAUfaqFghdD BzvrIJiUv+L7SIHvyXyH59dbBVKHOWVi4cJ1NM+6GeLwHKKzq1y99waC0Kk4KL0h8hEAQ71 lwgFO5ISl9R9jAQXPdnXXIBMIP8uMJPg4UPZBzIVG4d5bm69vnvSHVUAwetAAckPV9x+z5t b22jRl1ImQRVNCsPbdeOXNJjIr4vDCe6J9AdxlxsQyGSYc7eOj6/UzMYFPZg== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=none Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1757766303; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=3FQgxK49isJfV+xs5QbZGV3c6yF/PfXjQ36yxrX/KT0=; b=gJgfJfDr/EVNlvOpX19zdQ7zu6r7vn5pvRQTirUk2Z3VWNzt9H074JAhAKPWMaWLopFs+ 6CGD7i00maaUhxuWmsjlEl6k5I+GZsE/dxNj0KbxT7rb8+o+ygZGY1kbyS3z0B6P2y6zWjn Imj7xQSKMGWCMxGFfQ0tMIcEWLDoZkuyvcApt5hayK2jZ304CSfWgUHAKbS05Bi1axGcZHx m2O8r+Nd7AmMs/YzXpIdfabazyRL1Xp5S/dq3uH3TEPbFHEpOFLqruO9LRawb/UCUaMaUJH Vh0hm7PwJgbvfHak80BUDLwh7PIvbLVNTu0+EBtz9bRFD3gElyhOodUE98hw== Received: from 3f9d35a0eedc (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 92FB568E79D for ; Sat, 13 Sep 2025 15:25:03 +0300 (EEST) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Sat, 13 Sep 2025 12:25:03 -0000 Message-ID: <175776630379.25.17912284374158106438@463a07221176> Message-ID-Hash: 7JNEUABHOMWGX2WELTXBZEURYVDUHRM4 X-Message-ID-Hash: 7JNEUABHOMWGX2WELTXBZEURYVDUHRM4 X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] ff-tmp-exif-clear (PR #20513) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: michaelni via ffmpeg-devel Cc: michaelni Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #20513 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20513 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20513.patch avcodec/exif: Use av_fast_mallocz() in av_exif_clone_ifd() using fast realloc leaves the entries uninitialized and frees garbage pointers on errors >>From f4cfb976540b4eaed69873b6168ebc331b8923b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Sep 2025 13:53:53 +0200 Subject: [PATCH 1/2] avcodec/exif: Do not leave uninitialized pointers on errors in exif_clone_entry() No testcase, but this looks like it could free garbage pointers Signed-off-by: Michael Niedermayer --- libavcodec/exif.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/exif.c b/libavcodec/exif.c index f9ad3e1bdb..3e86833986 100644 --- a/libavcodec/exif.c +++ b/libavcodec/exif.c @@ -953,6 +953,7 @@ static int exif_clone_entry(AVExifEntry *dst, const AVExifEntry *src) dst->count = src->count; dst->id = src->id; dst->type = src->type; + memset(&dst->value, 0, sizeof(dst->value)); dst->ifd_offset = src->ifd_offset; if (src->ifd_lead) { -- 2.49.1 >>From 2e8cc7b86019fb32bdf0b23a138901e6f65238f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Sep 2025 14:00:55 +0200 Subject: [PATCH 2/2] avcodec/exif: Use av_fast_mallocz() in av_exif_clone_ifd() using fast realloc leaves the entries uninitialized and frees garbage pointers on errors Fixes: bug_triggering_file Found-by: *2ourc3, 5pider Signed-off-by: Michael Niedermayer --- libavcodec/exif.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exif.c b/libavcodec/exif.c index 3e86833986..cd6c0c3771 100644 --- a/libavcodec/exif.c +++ b/libavcodec/exif.c @@ -1152,7 +1152,7 @@ AVExifMetadata *av_exif_clone_ifd(const AVExifMetadata *ifd) size_t required_size; if (av_size_mult(ret->count, sizeof(*ret->entries), &required_size) < 0) goto fail; - ret->entries = av_fast_realloc(NULL, &ret->size, required_size); + av_fast_mallocz(&ret->entries, &ret->size, required_size); if (!ret->entries) goto fail; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org