[FFmpeg-devel] [PATCH] avcodec/exif: keep IFD base size in buffer sizing (PR #21255)

[ruikai via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>]

PR #21255 opened by ruikai
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21255
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21255.patch

Extra IFDs are stored as pseudo-tags 0xFFFC..0xFFED in the
top-level IFD. The size calculation skips the 12-byte directory
entry for those tags, but the extraction loop breaks on the
first missing tag. If 0xFFFC is absent and 0xFFFB remains,
av_exif_write allocates too small a buffer and exif_write_ifd
will still emit the entry, causing an OOB write when it pads
inline payloads (AV_WN32 on the last 4 bytes).

Always account for the base tag size so the allocation stays
conservative even when extra tags remain.

Repro (ASan):

./configure --toolchain=clang-asan --enable-debug \
--disable-optimizations
make -j"$(nproc)"

# PNG with EXIF IFD0 entries {0xFFFB, 0x0100, 0x0112}
ASAN_OPTIONS=halt_on_error=1:detect_leaks=0 ./ffmpeg_g \
-loglevel error -nostdin -i poc-exif-orient2.png -f null -

this triggers heap-buffer-overflow write in exif.c:731
(exif_write_ifd).

reference: https://gist.github.com/retr0reg/bc5f5dd9e2afedb09853913f1d1ee246

Regression: 784aa09fa8
Found-by: Ruikai Peng, Pwno


>From 7ea0d12bc09cbda9d978cd3cc298182fb9c54962 Mon Sep 17 00:00:00 2001
From: Ruikai Peng <ruikai@pwno.io>
Date: Sun, 21 Dec 2025 14:49:56 -0500
Subject: [PATCH] avcodec/exif: keep IFD base size in buffer sizing

Extra IFDs are stored as pseudo-tags 0xFFFC..0xFFED in the
top-level IFD. The size calculation skips the 12-byte directory
entry for those tags, but the extraction loop breaks on the
first missing tag. If 0xFFFC is absent and 0xFFFB remains,
av_exif_write allocates too small a buffer and exif_write_ifd
will still emit the entry, causing an OOB write when it pads
inline payloads (AV_WN32 on the last 4 bytes).

Always account for the base tag size so the allocation stays
conservative even when extra tags remain.

Repro (ASan):

./configure --toolchain=clang-asan --enable-debug \
--disable-optimizations
make -j"$(nproc)"

# PNG with EXIF IFD0 entries {0xFFFB, 0x0100, 0x0112}
ASAN_OPTIONS=halt_on_error=1:detect_leaks=0 ./ffmpeg_g \
-loglevel error -nostdin -i poc-exif-orient2.png -f null -

this triggers heap-buffer-overflow write in exif.c:731
(exif_write_ifd).

reference: https://gist.github.com/retr0reg/bc5f5dd9e2afedb09853913f1d1ee246

Regression: 784aa09fa8
Found-by: Ruikai Peng, Pwno
---
 libavcodec/exif.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index 0de543e35a..c7399e94b2 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -673,9 +673,7 @@ static size_t exif_get_ifd_size(const AVExifMetadata *ifd)
     for (size_t i = 0; i < ifd->count; i++) {
         const AVExifEntry *entry = &ifd->entries[i];
         if (entry->type == AV_TIFF_IFD) {
-            /* this is an extra IFD, not an entry, so we don't need to add base tag size */
-            size_t base_size = entry->id > 0xFFECu && entry->id <= 0xFFFCu ? 0 : BASE_TAG_SIZE;
-            total_size += base_size + exif_get_ifd_size(&entry->value.ifd) + entry->ifd_offset;
+            total_size += BASE_TAG_SIZE + exif_get_ifd_size(&entry->value.ifd) + entry->ifd_offset;
         } else {
             size_t payload_size = entry->count * exif_sizes[entry->type];
             total_size += BASE_TAG_SIZE + (payload_size > 4 ? payload_size : 0);
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org