From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 6343F4BD81
	for <ffmpegdev@gitmailbox.com>; Thu,  1 Jan 2026 22:08:30 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'v1N4bccjZLzClznGOaDdV0OG4Npsp2aIhMsBNpJvZQg=', expected 
   b'r5ALmxHB1yb/mlKH99Ncmmlv9CTn8B8XLGCAuQQIZFA=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767305268; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=v1N4bccjZLzClznGOaDdV0OG4Npsp2aIhMsBNpJvZQg=;
 b=zSCibHpvVAQpuj6pXksv5qa4F83lPw1EIVnrUyYQ4mlyX+fMHzkXasoF4Zz6nelrwKOxY
 OdXv9HFHvsfQ+NIuGtKVinvL+h+6vn3jrXDgArVQoyKcCRHJULEQUCuX2xJ9JYg14PLEpP4
 4QvKmCXDcL/AOFO/PysaLsilLdS/c1mqG9I8pDpKD9vGNLR5/pNgyxnrjPS9nlEMJnGMJJB
 9GC9jX8jUmpyjWEfXVUr4b+3tETC/TBypfb3Pv/S6JU1tpgyz3V10zs44xDxB6W1HWrbRAK
 LG/1Qkm60sNlH9uN1mCzSDCpPxJ0NdCQJscu3HtJ3L4HQTrmKnflntZvWh7w==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id EA71B690D3E;
	Fri,  2 Jan 2026 00:07:48 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767305218;
 b=MRLdFG7fxLvNtmNNcAZtjXc+mY+x2650kSuoeTWEfBSdJ0mL3nf2Bou7FfOQG89JmUiyr
 eJ9kbc96iuVORnjB5GF59k9VyTYE+E3z8WtTGBuqeTVc3RKdtetb1u53WwgX4IGFGfwHucT
 dj2ZQeay5brG59m8Rk4ynnQZHsi3gz5gGAe2I94e+EQH7bvICTHpu5d+RPhW5haMn7d9jF9
 RASALOihiHEOYkmsUy7mcXubmkd/nDIwrgwnNDRr0QElg4dgSPfbp1hDTl0+p4DpMabO7ie
 0nwUhPey4A/KtzP841+ilFaV+fH1v9sWg4iQPT1h4xutEATw/7y6UR+ytIiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1767305218; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=0buFBw0Yj89Pnf1x4TYK1hPqfDC0suv4nHdL1zGpklY=;
 b=A6SDpSp8bIqQMIvSoQdUKu01wrHe+uCdVjlG62LJN9QuLFK+m8aCHMPEanCebC+eSXoMQ
 jV0wHDDEb6L9bppwnntaPcjT8nMvCJbrszDcgliHtRrPYVrjBLE/ldziDZg2b6cdnQ+Wwq7
 ExbtFdMSWWUsL4xC0GlSKgBRKn4nQJFQ/Pn3edy4bHJOAY06qE/bNu5xp5KWeyecswC68bx
 Ge/80BQH53HS8KxBhg8WA6GNAE3XUzeCK9BBulARFsUiswO9p2PFwiq1RD4DS/BNeZ7WGho
 fUoZPsDDgGZbG7XtqIt6fu4JKp+IlGrb64AmfuYIFcB2dYlE8PGADeGpb0tA==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767305191; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=r5ALmxHB1yb/mlKH99Ncmmlv9CTn8B8XLGCAuQQIZFA=;
 b=qrvLbQFwcae/2Yz/2qYX73qOFQVU7BFc29xVWEzfYu+pvli6O0FkGEMMxmmAbrlIipLwP
 YiS62+RPEys5N4pQ282/FsC3P/5MzVdDLGpp1kzRun7gkKy/VQHfhjPmW87p8qvxaRBFpeV
 jcf/I+FVevLHPuyUNQAwHUeKKSRzIR2CbpJ1iF85pFoNrLO2TDiMpVhdGrnKPkE3SFnvc7X
 qSj4hfJyCb6FPOz71fpUOp+5zAKj/CuQDfnbMFvLRzo4Kc864kEPymazCrNAdEgshYONHDB
 zvDV1Tvi2kZRvc7jsDSbdUNcg/cC9Vx0vy457MxsrTbUwVDblmrlySQtumsA==
Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 16032680178
	for <ffmpeg-devel@ffmpeg.org>; Fri,  2 Jan 2026 00:06:31 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 01 Jan 2026 22:06:30 -0000
Message-ID: <176730519194.25.128553257836395788@4457048688e7>
Message-ID-Hash: HDIQZL24PJGKOOZ4WBFKXEYGDQP2PULQ
X-Message-ID-Hash: HDIQZL24PJGKOOZ4WBFKXEYGDQP2PULQ
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avcodec/exif.c: ignore synthetic tags as IFDs (PR #21352)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/HDIQZL24PJGKOOZ4WBFKXEYGDQP2PULQ/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176730519194.25.128553257836395788@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: ruikai via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: ruikai <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176730519194.25.128553257836395788@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21352 opened by ruikai
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21352
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21352.patch

Synthetic extra IFD tags (0xFFED..0xFFFC) are reserved and
should not be treated as IFDs when they come from input.
Refuse to parse them as IFDs and only peel entries that are real IFDs,

This fixes a heap OOB when synthetic tags are nested and sized
without the 12 bytes directory slot but survived peeling.


>>From 64924fb88b77a962f0cd6c21d4b82cc164c391f4 Mon Sep 17 00:00:00 2001
From: retr0reg <retr0@retr0.blog>
Date: Thu, 1 Jan 2026 16:55:46 -0500
Subject: [PATCH] avcodec/exif.c: ignore synthetic tags as IFDs

Synthetic extra IFD tags (0xFFED..0xFFFC) are reserved and
should not be treated as IFDs when they come from input.
Refuse to parse them as IFDs and only peel entries that are real IFDs,

This fixes a heap OOB when synthetic tags are nested and sized
without the 12 bytes directory slot but survived peeling.
---
 libavcodec/exif.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index 5ce402784c..775fe1a983 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -230,6 +230,11 @@ static const size_t exif_sizes[] = {
     [AV_TIFF_IFD] = 4,
 };
 
+static av_always_inline int exif_is_synthetic_tag(uint16_t id)
+{
+    return id > 0xFFECu && id <= 0xFFFCu;
+}
+
 const char *av_exif_get_tag_name(uint16_t id)
 {
     for (size_t i = 0; i < FF_ARRAY_ELEMS(tag_list); i++) {
@@ -498,7 +503,8 @@ static int exif_decode_tag(void *logctx, GetByteContext *gb, int le,
     if (type > AV_TIFF_IFD || count >= INT_MAX/8U)
         return AVERROR_INVALIDDATA;
 
-    is_ifd = type == AV_TIFF_IFD || ff_tis_ifd(entry->id) || entry->id == MAKERNOTE_TAG;
+    is_ifd = (type == AV_TIFF_IFD || ff_tis_ifd(entry->id) || entry->id == MAKERNOTE_TAG) &&
+             !exif_is_synthetic_tag(entry->id);
 
     if (is_ifd) {
         if (!payload)
@@ -805,6 +811,8 @@ int av_exif_write(void *logctx, const AVExifMetadata *ifd, AVBufferRef **buffer,
         ret = av_exif_get_entry(logctx, (AVExifMetadata *) ifd, extra_tag, 0, &extra_entry);
         if (ret < 0)
             break;
+        if (extra_entry->type != AV_TIFF_IFD)
+            continue;
         if (!ret)
             continue;
         av_log(logctx, AV_LOG_DEBUG, "found extra IFD tag: %04x\n", extra_tag);
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org