Merge pull request #1884 from Exiv2/mergify/bp/0.27-maintenance/pr-1882

Throw an error if the size of the preview is greater than 1MB (backport #1882)
Exiv2 · Sep 5, 2021 · c335521 · c335521
2 parents 4921385 + 0b88bee
commit c335521
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 0 deletions.
diff --git a/src/tiffvisitor_int.cpp b/src/tiffvisitor_int.cpp
@@ -1632,6 +1632,9 @@ namespace Exiv2 {
         if ( !isize ) {
             v->read(pData, size, byteOrder());
         } else {
+            // Prevent large memory allocations: https://github.com/Exiv2/exiv2/issues/1881
+            enforce(isize <= 1024 * 1024, kerCorruptedMetadata);
+
             // #1143 Write a "hollow" buffer for the preview image
             //       Sadly: we don't know the exact location of the image in the source (it's near offset)
             //       And neither TiffReader nor TiffEntryBase have access to the BasicIo object being processed

diff --git a/test/data/issue_1881_coverage.jpg b/test/data/issue_1881_coverage.jpg
diff --git a/test/data/issue_1881_poc.jpg b/test/data/issue_1881_poc.jpg
diff --git a/tests/bugfixes/github/test_issue_1881.py b/tests/bugfixes/github/test_issue_1881.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path
+@CopyTmpFiles("$data_path/issue_1881_poc.jpg", "$data_path/issue_1881_coverage.jpg")
+
+class SonyPreviewImageLargeAllocation(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/1881
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/1881"
+
+    filename1 = path("$tmp_path/issue_1881_poc.jpg")
+    filename2 = path("$tmp_path/issue_1881_coverage.jpg")
+    commands = ["$exiv2 -q -d I rm $filename1", "$exiv2 -q -d I rm $filename2"]
+    stdout = ["",""]
+    stderr = [
+"""Exiv2 exception in erase action for file $filename1:
+$kerCorruptedMetadata
+""",
+""]
+    retval = [1,0]