diff --git a/src/bigtiffimage.cpp b/src/bigtiffimage.cpp index 5d4a5944..68a57f90 100644 --- a/src/bigtiffimage.cpp +++ b/src/bigtiffimage.cpp @@ -193,6 +193,19 @@ namespace Exiv2 { BasicIo& io = Image::io(); + // Fix for https://github.com/Exiv2/exiv2/issues/712 + // A malicious file can cause a very deep recursion, leading to + // stack exhaustion. + // Note: 200 is an arbitrarily chosen cut-off value. The value + // of depth determines the amount of indentation inserted by the + // pretty-printer. The output starts to become unreadable as + // soon as the indentation exceeds 80 characters or so. That's + // why 200 ought to be a reasonable cut-off. + if (depth > 200) { + out << Internal::indent(depth) << "Maximum indentation depth exceeded." << std::endl; + return; + } + depth++; bool bFirst = true; diff --git a/test/data/issue_712_poc.tif b/test/data/issue_712_poc.tif new file mode 100644 index 00000000..d5287d73 Binary files /dev/null and b/test/data/issue_712_poc.tif differ diff --git a/tests/bugfixes/github/test_issue_712.py b/tests/bugfixes/github/test_issue_712.py new file mode 100644 index 00000000..0005b916 --- /dev/null +++ b/tests/bugfixes/github/test_issue_712.py @@ -0,0 +1,30 @@ +import system_tests + + +class BigTiffImageRecursionStackExhaustion( + metaclass=system_tests.CaseMeta): + """ + Regression test for the bug described in: + https://github.com/Exiv2/exiv2/issues/712 + + A malicious input file can cause BigTiffImage::printIFD() to + recurse arbitrarily deep, causing a crash due to stack exhaustion. + + The bug only existed in the -pR mode, which is now only enabled + in debug builds. + """ + url = "https://github.com/Exiv2/exiv2/issues/790" + + filename = system_tests.path( + "$data_path/issue_712_poc.tif" + ) + commands = ["$exiv2 -b -u -k pr $filename"] + stdout = ["File name : " + filename + """ +File size : 3720 Bytes +MIME type : +Image size : 0 x 0 +""" +] + stderr = [filename + """: No Exif data found in the file +"""] + retval = [253]