Throw if IPTC data exceeds limit

6 years ago · 86462e5513
2 changed files with 20 additions and 3 deletions
--- a/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs
+++ b/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs
@ -644,10 +644,11 @@ namespace SixLabors.ImageSharp.Formats.Jpeg
                    {
                        var resourceBlockNameLength = ReadImageResourceNameLength(blockDataSpan);
                        var resourceDataSize = ReadResourceDataLength(blockDataSpan, resourceBlockNameLength);
-                        if (resourceDataSize > 0)
+                        int dataStartIdx = 2 + resourceBlockNameLength + 4;
+                        if (resourceDataSize > 0 && blockDataSpan.Length >= dataStartIdx + resourceDataSize)
                        {
                            this.isIptc = true;
-                            this.iptcData = blockDataSpan.Slice(2 + resourceBlockNameLength + 4, resourceDataSize).ToArray();
+                            this.iptcData = blockDataSpan.Slice(dataStartIdx, resourceDataSize).ToArray();
                            break;
                        }
                    }
@ -655,7 +656,14 @@ namespace SixLabors.ImageSharp.Formats.Jpeg
                    {
                        var resourceBlockNameLength = ReadImageResourceNameLength(blockDataSpan);
                        var resourceDataSize = ReadResourceDataLength(blockDataSpan, resourceBlockNameLength);
-                        blockDataSpan = blockDataSpan.Slice(2 + resourceBlockNameLength + 4 + resourceDataSize);
+                        int dataStartIdx = 2 + resourceBlockNameLength + 4;
+                        if (blockDataSpan.Length < dataStartIdx + resourceDataSize)
+                        {
+                            // Not enough data or the resource data size is wrong.
+                            break;
+                        }
+
+                        blockDataSpan = blockDataSpan.Slice(dataStartIdx + resourceDataSize);
                    }
                }
            }
--- a/src/ImageSharp/Formats/Jpeg/JpegEncoderCore.cs
+++ b/src/ImageSharp/Formats/Jpeg/JpegEncoderCore.cs
@ -700,8 +700,12 @@ namespace SixLabors.ImageSharp.Formats.Jpeg
        /// Writes the IPTC metadata.
        /// </summary>
        /// <param name="iptcProfile">The iptc metadata to write.</param>
+        /// <exception cref="ImageFormatException">
+        /// Thrown if the IPTC profile size exceeds the limit of 65533 bytes.
+        /// </exception>
        private void WriteIptcProfile(IptcProfile iptcProfile)
        {
+            const int Max = 65533;
            if (iptcProfile is null || !iptcProfile.Values.Any())
            {
                return;
@ -714,6 +718,11 @@ namespace SixLabors.ImageSharp.Formats.Jpeg
                return;
            }

+            if (data.Length > Max)
+            {
+                throw new ImageFormatException($"Iptc profile size exceeds limit of {Max} bytes");
+            }
+
            var app13Length = 2 + ProfileResolver.AdobePhotoshopApp13Marker.Length +
                              ProfileResolver.AdobeImageResourceBlockMarker.Length +
                              ProfileResolver.AdobeIptcMarker.Length +