Merge pull request #1882 from kevinbackhouse/FixIssue1881

Throw an error if the size of the preview is greater than 1MB
2021-08-27 18:17:14 +01:00 · 2021-08-27 18:17:14 +01:00 · cb16324bcf
commit cb16324bcf
parent ccfdcf84ea ddd1c47f8b
4 changed files with 25 additions and 0 deletions
--- a/src/tiffvisitor_int.cpp
+++ b/src/tiffvisitor_int.cpp
@ -1598,6 +1598,9 @@ namespace Exiv2 {
        if ( !isize ) {
            v->read(pData, size, byteOrder());
        } else {
+            // Prevent large memory allocations: https://github.com/Exiv2/exiv2/issues/1881
+            enforce(isize <= 1024 * 1024, kerCorruptedMetadata);
+
            // #1143 Write a "hollow" buffer for the preview image
            //       Sadly: we don't know the exact location of the image in the source (it's near offset)
            //       And neither TiffReader nor TiffEntryBase have access to the BasicIo object being processed
--- a/test/data/issue_1881_coverage.jpg
+++ b/test/data/issue_1881_coverage.jpg
--- a/test/data/issue_1881_poc.jpg
+++ b/test/data/issue_1881_poc.jpg
--- a/tests/bugfixes/github/test_issue_1881.py
+++ b/tests/bugfixes/github/test_issue_1881.py
@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path
+@CopyTmpFiles("$data_path/issue_1881_poc.jpg", "$data_path/issue_1881_coverage.jpg")
+
+class SonyPreviewImageLargeAllocation(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/1881
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/1881"
+
+    filename1 = path("$tmp_path/issue_1881_poc.jpg")
+    filename2 = path("$tmp_path/issue_1881_coverage.jpg")
+    commands = ["$exiv2 -q -d I rm $filename1", "$exiv2 -q -d I rm $filename2"]
+    stdout = ["",""]
+    stderr = [
+"""Exiv2 exception in erase action for file $filename1:
+$kerCorruptedMetadata
+""",
+""]
+    retval = [1,0]