From 218ad98f227f88011243decdaf8d66ac06c31c16 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Fri, 27 Aug 2021 16:56:20 +0100
Subject: [PATCH 1/3] Regression test for
 https://github.com/Exiv2/exiv2/issues/1881

---
 test/data/issue_1881_poc.jpg             | Bin 0 -> 3195 bytes
 tests/bugfixes/github/test_issue_1881.py |  20 ++++++++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 test/data/issue_1881_poc.jpg
 create mode 100644 tests/bugfixes/github/test_issue_1881.py

diff --git a/test/data/issue_1881_poc.jpg b/test/data/issue_1881_poc.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..c666fe8854614c2afd47951754ee7ade74c39265
GIT binary patch
literal 3195
zcmeHJ%}*0i5TAV@LdymdZ^pz%;ZTruH&7`(s8BR%LZxZ(Kq7}0Udx)6ZQ89O8a!4L
zJ)4lgf562{qh36iUN~4Z(Q-7NNxYGmlyP2nOG||i6Cxfu$=jK?Z{~gc=FPmpGKQxn
zzuBa*d7d<*z<q#ahof9U+=0uX1;aG53r5;Cq^RH@jOEM}2$D8O(UTx$hzkR3vUtrc
zi_TZxZM+YigRFuIKq|&FN{GvHpFGYJa-VL7xtUAL7SXirngU%T>Zr$~c}6@LV?L*-
z@>j&|D@(|r(>>I<AHSfoFF5@;%`vcOa{S)$`Sy|?2M7kCpQe+619;&JiEbuHV@&D+
zM*Tr*Y5+A=RS_{Vb$7-!5%Ig|FHnD<_A15U;tKt&>kE~Aooa_ZziPrU{0)t-t!~Y2
ztUrHSBKhSOi$qgt!h03b@IkH-^gw8uR5}0ze@}dR%mLT!6`T)3E@_O(k~{BkVV0eN
z4~(5>4B7zBG4J>#n};GG(aFIv3l_{jZMYAzB+s%++u4D<{_xIZAWRFvySz>a3KRjv
z=+2&xMx9RQh33(A(x^dZZ}0RGfm27shGLKS3u@$r4si(ut-x+K6Sq{d@D<L@%*TDv
zn2|Fd)i8ubp(_l93rP^O(De=k`l~W^#|oP@5vC?*f}wj6F`VQX3IygQ%T_eBq5-q5
zXt1K82f8V0x~OTz;g7_+DUX&)Rk_BF)G3*Glk(h+AAlmL1!)uhNch>tr~JCYpd?<G
zhWSZe7D~&o`G@6h-EvJN0@_a1^l<Hlb=KydG%uwV`z>SZTwXd?<E!?Uul2x5yw+g9
z){+G6cnfi%ti-qx*Pj|mDlB@busDEJ%M;bgrm1fFN1kXX@sz~Hy2q|IdF+(+hN%Qq
z5+_tQNd+vp3&)Zuk`6DJ4wg@c_7r(JrKdPV)9Iu>7d3Tb@ftny152r7JuCDcnNUtT
JE&M;}?l-BJS)2d>

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_1881.py b/tests/bugfixes/github/test_issue_1881.py
new file mode 100644
index 0000000000..74bd5d0dbb
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_1881.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path
+@CopyTmpFiles("$data_path/issue_1881_poc.jpg")
+
+class SonyPreviewImageLargeAllocation(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/1881
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/1881"
+
+    filename = path("$tmp_path/issue_1881_poc.jpg")
+    commands = ["$exiv2 -q -d I rm $filename"]
+    stdout = [""]
+    stderr = [
+"""Exiv2 exception in erase action for file $filename:
+$kerCorruptedMetadata
+"""]
+    retval = [1]

From 60144df5570bb6cfcf8f5d395c874a7c00c41fe4 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Fri, 27 Aug 2021 16:56:45 +0100
Subject: [PATCH 2/3] Credit to OSS-Fuzz:
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37492 Throw an error if
 the size of the preview is greater than 1MB.

---
 src/tiffvisitor_int.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/tiffvisitor_int.cpp b/src/tiffvisitor_int.cpp
index 854f336984..d2b655a6e7 100644
--- a/src/tiffvisitor_int.cpp
+++ b/src/tiffvisitor_int.cpp
@@ -1598,6 +1598,9 @@ namespace Exiv2 {
         if ( !isize ) {
             v->read(pData, size, byteOrder());
         } else {
+            // Prevent large memory allocations: https://github.com/Exiv2/exiv2/issues/1881
+            enforce(isize <= 1024 * 1024, kerCorruptedMetadata);
+
             // #1143 Write a "hollow" buffer for the preview image
             //       Sadly: we don't know the exact location of the image in the source (it's near offset)
             //       And neither TiffReader nor TiffEntryBase have access to the BasicIo object being processed

From ddd1c47f8ba645b945d566695e40b425efa8560e Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Fri, 27 Aug 2021 17:42:20 +0100
Subject: [PATCH 3/3] Add second test file for better code coverage.

---
 test/data/issue_1881_coverage.jpg        | Bin 0 -> 2008 bytes
 tests/bugfixes/github/test_issue_1881.py |  16 +++++++++-------
 2 files changed, 9 insertions(+), 7 deletions(-)
 create mode 100644 test/data/issue_1881_coverage.jpg

diff --git a/test/data/issue_1881_coverage.jpg b/test/data/issue_1881_coverage.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..f07bbb7a08d6a0f0bb8c790dfeaeddbb1203c362
GIT binary patch
literal 2008
zcmds2&1)1f6n~lNcDmbYyDA8+$k2l=5=%1s)j_b}uB%h~X|<?ep~_ZPYlWqLARa^y
zR(fgoA{3ORt>8&Kc@&|&`44Chq6csO2O{HpNw%)GMZKt)A$h-fd3i~Gd3g!ngzurH
zHy`AIF#v`igddz&M{X7;0D@pYGyp&o_C&Gk9a#9s6b6NxnFUeQJ;vICID+yi)*Z%%
z%>lHs2)Tu4SlbMKfw+^|N>4r|j@^UuCDxtRH+}JbowCWHgD0yFT*Ce}tW-t@2hIdR
zUtjp;^nsHJfMckmd8#s3yjYwbpLDb1R|=(ZmyF!eLMhQD<T)5B6{n_yeh^+t0NA)0
z8frs3IUxwqIBux}ps`uYhqyQTe~yfhWVl|EW4L~jTT+0&Hc+raGguob@C8pw-<PWO
zRGYw-tT!tUh6avqi?zn6ub9maT`pX|arIWARDeka7sA1CI8>!0tk*xVQcfzbDb=QV
z(i1Yx1;@E~il=#ocXOXh!KLKV<1)c{GKCP0WQNOb?xC&6y#)7?+)HsU&Aklwx_Lqz
z%%pRNbABGz@;k?vKh+!LgT8)%f8rQtartzduWc<qwrSY`3wL!K@5P=+2Jb`MKHEtA
ztI{>2W7kE!Fjz&?oC9@eA-sfO^BOaZb89}L;@HiNWL@%r#%UaDmGxYQ5ZmRL3eG&@
zI)eugM~uxVVyCR<rTf=lFu9A?;Fz%=L;Krh2R@;kzzP+!HYo(FXg{=Ot3r2P-*dYL
zM=E$HaomCfuzgXl^915%gU=#vS=4^W{ceNlo<o%fDN{f4Ky!8B0A}|1XLz^<n=m1K
zpO}Ep>OiVY&;~XTffkyGo?mAI9CEc}QVx1paug;8*s^90Ay@{Z{*GOvj~IL$ZR%_E
zvE_Tp4~=cA(R<4g6@BONWY*K;&(h@7UrLj1%}cRDJNZ6M3VJEFOq2glZVy*smwt$d
dgK8mdoWf+ibRr7Zpvh)n#qBuszzl?MzXCW5<U9ZX

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_1881.py b/tests/bugfixes/github/test_issue_1881.py
index 74bd5d0dbb..356ed6b03f 100644
--- a/tests/bugfixes/github/test_issue_1881.py
+++ b/tests/bugfixes/github/test_issue_1881.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
 from system_tests import CaseMeta, CopyTmpFiles, path
-@CopyTmpFiles("$data_path/issue_1881_poc.jpg")
+@CopyTmpFiles("$data_path/issue_1881_poc.jpg", "$data_path/issue_1881_coverage.jpg")
 
 class SonyPreviewImageLargeAllocation(metaclass=CaseMeta):
     """
@@ -10,11 +10,13 @@ class SonyPreviewImageLargeAllocation(metaclass=CaseMeta):
     """
     url = "https://github.com/Exiv2/exiv2/issues/1881"
 
-    filename = path("$tmp_path/issue_1881_poc.jpg")
-    commands = ["$exiv2 -q -d I rm $filename"]
-    stdout = [""]
+    filename1 = path("$tmp_path/issue_1881_poc.jpg")
+    filename2 = path("$tmp_path/issue_1881_coverage.jpg")
+    commands = ["$exiv2 -q -d I rm $filename1", "$exiv2 -q -d I rm $filename2"]
+    stdout = ["",""]
     stderr = [
-"""Exiv2 exception in erase action for file $filename:
+"""Exiv2 exception in erase action for file $filename1:
 $kerCorruptedMetadata
-"""]
-    retval = [1]
+""",
+""]
+    retval = [1,0]