Heap-buffer-overflow in FFmpeg EXIF when writing extra IFD tags

TL;DR

A four-byte heap-buffer-overflow was found in FFmpeg's EXIF handling during processing and reserialization of extra IFD tags. The issue affects common image formats (PNG, JPG, WebP, AVIF) and arose from a size-miscalculation tied to how extra IFD entries are handled when writing EXIF data.

What happened

Researchers identified a four-byte heap-buffer-overflow in FFmpeg's avcodec/exif codepath while processing Image File Directories (IFDs). The decoder reads EXIF chunks into a buffer and attaches that buffer to output frames via ff_decode_exif_attach_buffer, which calls av_exif_parse_buffer to build an AVExifMetadata structure. When FFmpeg reserializes EXIF data (av_exif_write) it computes the output buffer size with exif_get_ifd_size. That sizing code treats synthetic "extra" IFD entries (reserved tags in the 0xFFEC–0xFFFC range) as having zero base tag size on the assumption they will be peeled out later. av_exif_write later iterates downward from 0xFFFC to remove and append those extra IFDs. The mismatch between the initial size estimation and the later peel/append logic led to a four-byte heap-buffer-overflow. The reporter noted the defect was found roughly three days after it entered the codebase and that it affects formats that commonly carry EXIF: .png, .jpg, .webp and .avif.

Why it matters

• Memory-corruption bug in a widely used multimedia library can cause crashes or unexpected behavior when parsing image EXIF data.
• The flaw affects multiple common image formats that often carry EXIF metadata, increasing the surface for encountering malformed inputs.
• The issue stems from size-calculation and serialization logic, which can be subtle and may affect related EXIF reserialization paths.
• Wide deployment of FFmpeg in software that handles image decoding means downstream projects could inherit the problem until addressed.

Key facts

• Vulnerability type: four-byte heap-buffer-overflow.
• Component: FFmpeg avcodec EXIF handling (av_exif_write / exif_get_ifd_size path).
• Affected formats explicitly mentioned: .png, .jpg, .webp, .avif.
• Trigger path: decoder reads EXIF chunk into s->exif_data, attaches it via ff_decode_exif_attach_buffer, then av_exif_write performs reserialization.
• exif_get_ifd_size treats extra IFD entries (AV_TIFF_IFD with IDs in the reserved range) as having zero base entry size because they are expected to be removed later.
• av_exif_write later "peels" extra IFDs linearly from tag 0xFFFC downward and appends them during write; the size estimate and peeling logic mismatch leads to overflow.
• The code caps parsing of extra IFDs to a maximum of 16 entries for sanity.
• Reporter: Ruikai Peng; discovery occurred about three days after the offending change was introduced into the codebase.

What to watch next

• Availability of an upstream FFmpeg patch or commit addressing the size-calculation / peeling mismatch (not confirmed in the source).
• Whether a coordinated security advisory or CVE is published for this heap-buffer-overflow (not confirmed in the source).
• Downstream projects incorporating the patched FFmpeg release and any follow-up fixes or regressions (not confirmed in the source).

Quick glossary

• EXIF: A standard for storing metadata in image files, including camera, capture, and orientation information.
• IFD (Image File Directory): A TIFF/EXIF structure that contains a list of metadata entries (tags) describing or pointing to image-related data.
• Heap-buffer-overflow: A memory safety error where a program writes past the end of a dynamically allocated (heap) buffer.
• AVExifMetadata: FFmpeg's internal data structure used to represent parsed EXIF metadata and IFDs.

Reader FAQ

Which file types are affected?
.png, .jpg, .webp and .avif are explicitly mentioned in the source.

Who reported the issue?
The researcher identified in the source is Ruikai Peng.

Was a fix or patch released?
not confirmed in the source

Is there a CVE or advisory for this bug?
not confirmed in the source

Heap-buffer-overflow in EXIF writer for extra IFD tags Ruikai Peng We recently found a cool four-bytes heap-buffer-overflow in FFmpeg's avcodec/exif during the processing of IFDs (Image File Directory). This affects…

Sources

• Heap Overflow in FFmpeg EXIF
• A Heap Overflow in FFmpeg's IAMF Parser: A Fuzzing …
• FFmpeg < 8.0 Heap-Buffer-Overflow
• FFmpeg – Heap-buffer-overflow write in jpeg2000dec

Related posts

• Mitigating RF Pollution from Satellite Constellations and Telescopes
• Meet the new tech laws of 2026: state AI, privacy, repair and limits
• Meta reportedly hid scam ads from regulators and journalists, not fully banning them