From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 0BBA94DCEB
	for <ffmpegdev@gitmailbox.com>; Sat,  3 Jan 2026 18:13:03 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'ARRcLHEjmONlZQz1MlWlV4l1oZNohE7iFeHQPdVbV10=', expected 
   b'M7GsEVX2PY37J//wLEJj1utqYkdH73Av2NQbjBOG4mA=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767463965; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=ARRcLHEjmONlZQz1MlWlV4l1oZNohE7iFeHQPdVbV10=;
 b=vAa2DXtthjZ+WLVl2W7vaLkAvyShpHp0cOD9H6hV8UB2v/jGZ97ih43lmK3ynly8+ZC0J
 fwsZDy5Ys3CHdqvFl1CZKlp2AsEzUNUanps7zVvMeqOavwYtLASxXjWhRObcRacQo5/cwrP
 1RrIeZtNSyHnt5Ih+exaOJhKPK+/5LPzTNH0CwrxlZciz5B2e3mBgEOJHjf3NE1pNpIMfvT
 bakmxAUzgBU6B0jb5yJd/tFoWdUTcOsbaPFgiSF89ZuKqBoChSSpTYB2Gt8xVVQzyMmV6JK
 OKVUoJdfpV1ehMznIOyztTLkrB4EEbRwXH71ayvs18Y4bfoTqIMn/6h1xJQg==
Received: from [172.20.0.4] (unknown [172.20.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 9D893690D2C;
	Sat,  3 Jan 2026 20:12:45 +0200 (EET)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1767463945;
 b=g+Kj/drictgwf1lJkPt0pbUPQHIXNZBnUfd7HHm8/PCRy4EUIs0YB6iCFEZtXqDg2Oc0n
 JS9GX5ciZCaYpz2N9giUpGONWxadwKKY0bKrhu8eblDWzze3b1mjzwXPzpBZubqIm+azCHH
 ycNkxv0gKjj1D072gCBIrAxMkalZHxYyII7QA9ZKZGwjFvi8Njyd2Z6gAGjOMaTmP566vb/
 dw0wCcxgijJK0Nj7BYtT/jhCrczrqA+Xqq9lLBTGu9jEt4jQCF9pBl2j2BoWC5ovMwvTu5N
 Oqi4eg7KenY0W3WEBnyzHKMTT+yhRy+d/QDjM8MVXb/+Jdgot++a++kPjk+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1767463945; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=YAnlRILF0V0X6QOCn36Y/bg+/BHtxtENvPl6KKWO/fQ=;
 b=U+oq0BwpiSR08p9pQeF/8YwnhyomSekxE6/QRBUDVZJI0uLZeM2J4lPeBm9DuDot0te5o
 1a6P+3UPaJ2MfgadQQHMSgQ2eaLbW2BDZ5weEsD2u3td+F/Rvsk7R0maXoaa6L4URgKnSeQ
 pw4eI0EqBS7YcSMqyPv5Ft6T6RJVa8dMoRtAP82m1z7d+1iuTvuuNyzXgdu1+ixlC4jBG4p
 ju5poWsEQkUNjNMDPi3ekVblRTVQo2zxPO2rG/dkCHx8fHdOrdaSZtM1QBtmqTPsIiI455n
 nzjFog/F81susNDaHar5/RA5ZJr5A8UpLQpJPlnruqL0qKi9mukGiwZiAQDw==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed);
 dmarc=pass (Used From Domain Record) header.from=ffmpeg.org
 policy.dmarc=quarantine
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1767463936; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=M7GsEVX2PY37J//wLEJj1utqYkdH73Av2NQbjBOG4mA=;
 b=vmPPcnEZa79it9zHkjEU2pWVZvfUEXsOVnKpKi1XNKmg4VhwdrfCHTL57UuQ/SMYU03Bp
 ZkOIkNxvZPs4YQu0C2K5ULEoNlzMDOEOQvUV35uDFTZZhqaTtqufOm6DEVHS7k3S7/7VXYk
 hW2oUJqo1eD0/csWvTvGqpcb0G+T44K0kJQy9bJ0Io1hB2Zd1jDZEjF+IdmZsAFsxeroMK7
 43K7Ax3xSeaWVk+fwPfTcSUZeorv+38F95rAHJBLBkCNV4iA2rZ8FcdNxBpllidTaU0Ekii
 VbXeeoLqh2/+BPXgaROZ+R6e2bJEfHkH1eVdxmJMR7dOfhJ/tq9KMCSbBPhQ==
Received: from de3a2b3407a2 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id C9C74690642
	for <ffmpeg-devel@ffmpeg.org>; Sat,  3 Jan 2026 20:12:16 +0200 (EET)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Sat, 03 Jan 2026 18:12:16 -0000
Message-ID: <176746393737.25.9093336781147860244@4457048688e7>
Message-ID-Hash: KIIK4F3W4S2A3YI6WAA7ZYJK5MJDCJEO
X-Message-ID-Hash: KIIK4F3W4S2A3YI6WAA7ZYJK5MJDCJEO
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avcodec/exif: avoid overflow with supplemental extra IFDs
 (PR #21366)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/KIIK4F3W4S2A3YI6WAA7ZYJK5MJDCJEO/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/176746393737.25.9093336781147860244@4457048688e7/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: Leo Izen via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: Leo Izen <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/176746393737.25.9093336781147860244@4457048688e7/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #21366 opened by Leo Izen (Traneptora)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21366
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21366.patch

If extra IFDs occur outside of the top level, we don't allocate enough
buffer space for them. This commit changes our calculation to include
their size always, and then we shrink the allocated buffer once every
IFD is written (by at most 192 bytes).

Signed-off-by: Leo Izen <leo.izen@gmail.com>


>>From 72f9a790f9e77dc54a86d6f5d519d03e83b6661d Mon Sep 17 00:00:00 2001
From: Leo Izen <leo.izen@gmail.com>
Date: Sat, 3 Jan 2026 11:31:21 -0500
Subject: [PATCH] avcodec/exif: avoid overflow with supplemental extra IFDs

If extra IFDs occur outside of the top level, we don't allocate enough
buffer space for them. This commit changes our calculation to include
their size always, and then we shrink the allocated buffer once every
IFD is written (by at most 192 bytes).

Signed-off-by: Leo Izen <leo.izen@gmail.com>
---
 libavcodec/exif.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index 5ce402784c..01ffa88194 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -673,9 +673,7 @@ static size_t exif_get_ifd_size(const AVExifMetadata *ifd)
     for (size_t i = 0; i < ifd->count; i++) {
         const AVExifEntry *entry = &ifd->entries[i];
         if (entry->type == AV_TIFF_IFD) {
-            /* this is an extra IFD, not an entry, so we don't need to add base tag size */
-            size_t base_size = entry->id > 0xFFECu && entry->id <= 0xFFFCu ? 0 : BASE_TAG_SIZE;
-            total_size += base_size + exif_get_ifd_size(&entry->value.ifd) + entry->ifd_offset;
+            total_size += BASE_TAG_SIZE + exif_get_ifd_size(&entry->value.ifd) + entry->ifd_offset;
         } else {
             size_t payload_size = entry->count * exif_sizes[entry->type];
             total_size += BASE_TAG_SIZE + (payload_size > 4 ? payload_size : 0);
@@ -776,11 +774,10 @@ int av_exif_write(void *logctx, const AVExifMetadata *ifd, AVBufferRef **buffer,
             headsize = 0;
             break;
     }
-    buf = av_buffer_alloc(size + off + headsize);
-    if (!buf) {
-        ret = AVERROR(ENOMEM);
+
+    ret = av_buffer_realloc(&buf, size + off + headsize);
+    if (ret < 0)
         goto end;
-    }
 
     if (header_mode == AV_EXIF_EXIF00) {
         AV_WL32(buf->data, MKTAG('E','x','i','f'));
@@ -853,6 +850,12 @@ int av_exif_write(void *logctx, const AVExifMetadata *ifd, AVBufferRef **buffer,
         next += ret;
     }
 
+    /* shrink the buffer to the amount of data we actually used */
+    /* extras don't contribute the initial BASE_TAG_SIZE each */
+    ret = av_buffer_realloc(&buf, buf->size - BASE_TAG_SIZE * extras);
+    if (ret < 0)
+        goto end;
+
     *buffer = buf;
     ret = 0;
 
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org