diff --git a/src/tiffvisitor_int.cpp b/src/tiffvisitor_int.cpp index 854f336984..d2b655a6e7 100644 --- a/src/tiffvisitor_int.cpp +++ b/src/tiffvisitor_int.cpp @@ -1598,6 +1598,9 @@ namespace Exiv2 { if ( !isize ) { v->read(pData, size, byteOrder()); } else { + // Prevent large memory allocations: https://github.com/Exiv2/exiv2/issues/1881 + enforce(isize <= 1024 * 1024, kerCorruptedMetadata); + // #1143 Write a "hollow" buffer for the preview image // Sadly: we don't know the exact location of the image in the source (it's near offset) // And neither TiffReader nor TiffEntryBase have access to the BasicIo object being processed diff --git a/test/data/issue_1881_coverage.jpg b/test/data/issue_1881_coverage.jpg new file mode 100644 index 0000000000..f07bbb7a08 Binary files /dev/null and b/test/data/issue_1881_coverage.jpg differ diff --git a/test/data/issue_1881_poc.jpg b/test/data/issue_1881_poc.jpg new file mode 100644 index 0000000000..c666fe8854 Binary files /dev/null and b/test/data/issue_1881_poc.jpg differ diff --git a/tests/bugfixes/github/test_issue_1881.py b/tests/bugfixes/github/test_issue_1881.py new file mode 100644 index 0000000000..356ed6b03f --- /dev/null +++ b/tests/bugfixes/github/test_issue_1881.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- + +from system_tests import CaseMeta, CopyTmpFiles, path +@CopyTmpFiles("$data_path/issue_1881_poc.jpg", "$data_path/issue_1881_coverage.jpg") + +class SonyPreviewImageLargeAllocation(metaclass=CaseMeta): + """ + Regression test for the bug described in: + https://github.com/Exiv2/exiv2/issues/1881 + """ + url = "https://github.com/Exiv2/exiv2/issues/1881" + + filename1 = path("$tmp_path/issue_1881_poc.jpg") + filename2 = path("$tmp_path/issue_1881_coverage.jpg") + commands = ["$exiv2 -q -d I rm $filename1", "$exiv2 -q -d I rm $filename2"] + stdout = ["",""] + stderr = [ +"""Exiv2 exception in erase action for file $filename1: +$kerCorruptedMetadata +""", +""] + retval = [1,0]