avcodec/exif: also copy zero termination for AV_TIFF_STRING

Fixes: out of array read Fixes: 441131173/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_DEC_fuzzer-6700429212975104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2025-08-27 15:00:56 +0200
committer: Leo Izen <leo.izen@gmail.com> 2025-08-27 15:46:35 +0000
commit: 76645e096fabd9beeecb681691b4bca327241ee8 (patch)
tree: 01f832daa2584da19d3a6e8586d1700afce64659
parent: 041651841a1e11a6873a1d7b2f826b8678f8a2c8 (diff)
download: ffmpeg-76645e096fabd9beeecb681691b4bca327241ee8.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index f7effa6dbd..2ac54e51af 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -993,7 +993,11 @@ static int exif_clone_entry(AVExifEntry *dst, const AVExifEntry *src)
             EXIF_COPY(dst->value.sbytes, src->value.sbytes);
             break;
         case AV_TIFF_STRING:
-            EXIF_COPY(dst->value.str, src->value.str);
+            dst->value.str = av_memdup(src->value.str, src->count+1);
+            if (!dst->value.str) {
+                ret = AVERROR(ENOMEM);
+                goto end;
+            }
             break;
     }
author	Michael Niedermayer <michael@niedermayer.cc>	2025-08-27 15:00:56 +0200
committer	Leo Izen <leo.izen@gmail.com>	2025-08-27 15:46:35 +0000
commit	76645e096fabd9beeecb681691b4bca327241ee8 (patch)
tree	01f832daa2584da19d3a6e8586d1700afce64659
parent	041651841a1e11a6873a1d7b2f826b8678f8a2c8 (diff)
download	ffmpeg-76645e096fabd9beeecb681691b4bca327241ee8.tar.gz