From 86462e55138f407cdd592096a7e5e7bb9ceec327 Mon Sep 17 00:00:00 2001
From: Brian Popow <popow@gmx.de>
Date: Thu, 16 Apr 2020 11:35:29 +0200
Subject: [PATCH] Throw if IPTC data exceeds limit

---
 src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs | 14 +++++++++++---
 src/ImageSharp/Formats/Jpeg/JpegEncoderCore.cs |  9 +++++++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs b/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs
index 93cdd18c31..4000fa0f62 100644
--- a/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs
+++ b/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs
@@ -644,10 +644,11 @@ namespace SixLabors.ImageSharp.Formats.Jpeg
                     {
                         var resourceBlockNameLength = ReadImageResourceNameLength(blockDataSpan);
                         var resourceDataSize = ReadResourceDataLength(blockDataSpan, resourceBlockNameLength);
-                        if (resourceDataSize > 0)
+                        int dataStartIdx = 2 + resourceBlockNameLength + 4;
+                        if (resourceDataSize > 0 && blockDataSpan.Length >= dataStartIdx + resourceDataSize)
                         {
                             this.isIptc = true;
-                            this.iptcData = blockDataSpan.Slice(2 + resourceBlockNameLength + 4, resourceDataSize).ToArray();
+                            this.iptcData = blockDataSpan.Slice(dataStartIdx, resourceDataSize).ToArray();
                             break;
                         }
                     }
@@ -655,7 +656,14 @@ namespace SixLabors.ImageSharp.Formats.Jpeg
                     {
                         var resourceBlockNameLength = ReadImageResourceNameLength(blockDataSpan);
                         var resourceDataSize = ReadResourceDataLength(blockDataSpan, resourceBlockNameLength);
-                        blockDataSpan = blockDataSpan.Slice(2 + resourceBlockNameLength + 4 + resourceDataSize);
+                        int dataStartIdx = 2 + resourceBlockNameLength + 4;
+                        if (blockDataSpan.Length < dataStartIdx + resourceDataSize)
+                        {
+                            // Not enough data or the resource data size is wrong.
+                            break;
+                        }
+
+                        blockDataSpan = blockDataSpan.Slice(dataStartIdx + resourceDataSize);
                     }
                 }
             }
diff --git a/src/ImageSharp/Formats/Jpeg/JpegEncoderCore.cs b/src/ImageSharp/Formats/Jpeg/JpegEncoderCore.cs
index a3786ae1c2..eed95c6b07 100644
--- a/src/ImageSharp/Formats/Jpeg/JpegEncoderCore.cs
+++ b/src/ImageSharp/Formats/Jpeg/JpegEncoderCore.cs
@@ -700,8 +700,12 @@ namespace SixLabors.ImageSharp.Formats.Jpeg
         /// Writes the IPTC metadata.
         /// </summary>
         /// <param name="iptcProfile">The iptc metadata to write.</param>
+        /// <exception cref="ImageFormatException">
+        /// Thrown if the IPTC profile size exceeds the limit of 65533 bytes.
+        /// </exception>
         private void WriteIptcProfile(IptcProfile iptcProfile)
         {
+            const int Max = 65533;
             if (iptcProfile is null || !iptcProfile.Values.Any())
             {
                 return;
@@ -714,6 +718,11 @@ namespace SixLabors.ImageSharp.Formats.Jpeg
                 return;
             }
 
+            if (data.Length > Max)
+            {
+                throw new ImageFormatException($"Iptc profile size exceeds limit of {Max} bytes");
+            }
+
             var app13Length = 2 + ProfileResolver.AdobePhotoshopApp13Marker.Length +
                               ProfileResolver.AdobeImageResourceBlockMarker.Length +
                               ProfileResolver.AdobeIptcMarker.Length +