PR #22596 opened by Priyanshuthapliyal
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22596
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22596.patch

The expression (exif_len & ~SIZE_MAX) is always 0 for size_t,
making the overflow guard permanently dead code.

Reported-by: Guanni Qu <[email protected]>
Signed-off-by: Priyanshu Thapliyal <[email protected]>


>From 5f1993406583bf0da77dec57f9b3b3dd116e3146 Mon Sep 17 00:00:00 2001
From: Priyanshu Thapliyal <[email protected]>
Date: Tue, 24 Mar 2026 00:49:55 +0530
Subject: [PATCH] avcodec/pngdec: fix dead overflow check in
 decode_text_to_exif()

The expression (exif_len & ~SIZE_MAX) is always 0 for size_t,
making the overflow guard permanently dead code.

Reported-by: Guanni Qu <[email protected]>
Signed-off-by: Priyanshu Thapliyal <[email protected]>
---
 libavcodec/pngdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 042b6a5c2f..d630617004 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -558,7 +558,7 @@ static int decode_text_to_exif(PNGDecContext *s, const char 
*txt_utf8)
     }
 
     // first condition checks for overflow in 2 * exif_len
-    if ((exif_len & ~SIZE_MAX) || end - ptr < 2 * exif_len)
+    if (exif_len > SIZE_MAX / 2 || end - ptr < 2 * exif_len)
         return AVERROR_INVALIDDATA;
     if (exif_len < 10)
         return AVERROR_INVALIDDATA;
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to