Merge pull request #1141 from Exiv2/fix_1091_0.27

fix_1091_0.27

src/bigtiffimage.cpp

@@ -193,6 +193,19 @@ namespace Exiv2
                 {
                     BasicIo& io = Image::io();
 
+                    // Fix for https://github.com/Exiv2/exiv2/issues/712
+                    // A malicious file can cause a very deep recursion, leading to
+                    // stack exhaustion.
+                    // Note: 200 is an arbitrarily chosen cut-off value. The value
+                    // of depth determines the amount of indentation inserted by the
+                    // pretty-printer. The output starts to become unreadable as
+                    // soon as the indentation exceeds 80 characters or so. That's
+                    // why 200 ought to be a reasonable cut-off.
+                    if (depth > 200) {
+                      out << Internal::indent(depth) << "Maximum indentation depth exceeded." << std::endl;
+                      return;
+                    }
+
                     depth++;
                     bool bFirst  = true;
 

tests/bugfixes/github/test_issue_712.py

@@ -0,0 +1,30 @@
+import system_tests
+
+
+class BigTiffImageRecursionStackExhaustion(
+        metaclass=system_tests.CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/712
+
+    A malicious input file can cause BigTiffImage::printIFD() to
+    recurse arbitrarily deep, causing a crash due to stack exhaustion.
+
+    The bug only existed in the -pR mode, which is now only enabled
+    in debug builds.
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/790"
+
+    filename = system_tests.path(
+        "$data_path/issue_712_poc.tif"
+    )
+    commands = ["$exiv2 -b -u -k pr $filename"]
+    stdout = ["File name       : " + filename + """
+File size       : 3720 Bytes
+MIME type       : 
+Image size      : 0 x 0
+"""
+]
+    stderr = [filename + """: No Exif data found in the file
+"""]
+    retval = [253]