New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to exhaust memory with one reputably sourced image #44
Comments
Yeah, Hachoir has bugs, but it's basically no longer maintained: http://unmaintained.tech/ If you propose a fix, I can try to review it. |
Thanks for the bug report. It’s an infinite loop in the IFD generator caused by a bogus next pointer in IFD0 which points back to IFD0. The easy fix is probably just to ban recursion with a simple visited-set check, but I’m a little worried you could still DOS this by specifying “slid” offsets.
In theory the number of IFDs should be finite - a cursory reading of the spec suggests the limit is 3 (IFD0, IFD1, IFD2). I’m a teensy bit hesitant to set this limit in case arbitrary linked IFDs was an intentional feature (although, for example, libexif only parses the first two).
I can put together a simple patch that fixes this issue pretty quickly - I already have it tested and working locally.
Robert
… On Aug 27, 2019, at 12:50 AM, Victor Stinner ***@***.***> wrote:
Yeah, Hachoir has bugs, but it's basically no longer maintained: http://unmaintained.tech/
If you propose a fix, I can try to review it.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
The problem is that Hachoir allows to create 2 fields at the same address:
It should raise an error. |
Yes, that would be a problem with the implementation of RootSeekableFieldSet. Perhaps the right solution then is to ban the creation of duplicate fields there. Keep in mind that RSFS’s design allows you to skip around in the file, but right now we don’t ban overlapping fields (maybe we should).
Robert
… On Aug 28, 2019, at 1:55 PM, Victor Stinner ***@***.***> wrote:
The problem is that Hachoir allows to create 2 fields at the same address:
+ 0) start_image: Start of image (SOI) (2 bytes)
- 2) exif: EXIF (292 bytes)
0) header= 0xff: Header (1 bytes)
1) type= 0xe1: Type (1 bytes)
2) size= 290: Size (2 bytes)
- 4) content: Chunk content (288 bytes)
0) header= "Exif\0\0": Header (Exif\0\0) (6 bytes)
6) endian= "MM": Endian ('II' or 'MM') (2 bytes)
8) version= 42: TIFF version number (2 bytes)
10) img_dir_ofs= 8: Next image directory offset (4 bytes)
+ 14) ifd[0] (216 bytes)
+ 234) exif[0] (54 bytes)
+ 14) ifd[1] (216 bytes)
+ 234) exif[1] (54 bytes)
+ 14) ifd[2] (216 bytes)
+ 234) exif[2] (54 bytes)
+ 14) ifd[3] (216 bytes)
...
It should raise an error.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
maybe the same problem LonamiWebs/Telethon#1385 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Using hachoir commit #5b9e05a on Windows 10 x64.
Steps...
test.py
BACKGROUND
from the reputable sourcehttps://fanart.tv/series/331821/the-looming-tower/
(direct image link is
https://fanart.tv/api/download.php?type=download&image=88183§ion=1
)fanart.jpg
(the jpg image crc isBA866C09
)Python -V
# output Python 3.7.4 (32 bit)python.exe test.py
Result:
infinite loop exhausting memory until Python crashes with MemoryError.
Test code
test.py
script located where cloned hachoir3 (or named whatever) folder is located.The text was updated successfully, but these errors were encountered: