search

ianare / exif-py

Easy to use Python module to extract Exif metadata from digital image files.
BSD 3-Clause "New" or "Revised" License
831 stars 191 forks source link

Corrupted image causes huge resource consumption #182

Open CrimsonGlory opened 1 year ago

CrimsonGlory commented 1 year ago

The following crafted image file causes latest version of exifread (3.0.0) to get into an infinite loop which starts using more memory until there is a MemoryError or Out of Memory. It was tested with:

File: https://www.mediafire.com/file/1nhu3axm8z23l5q/exifread_bug_file/file

To reproduce:

user@host:$ pip3 freeze | grep -i exifread
ExifRead==3.0.0
user@host:$ python3
Python 3.5.2 (default, Jan 26 2021, 13:30:48)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import exifread
>>> with open("exif_bug_file", 'rb') as file_handle:
...     exifread.process_file(file_handle)
...

EDIT: my bad. It is not an infinite loop. Takes more than 30 minutes, around 8GB of memory, but it does finish. It will edit the title and leave the issue open just in case.

user@host:$ date; python3 test.py ; date
Tue May  9 14:34:26 -03 2023
{'EXIF ISOSpeedRatings': (0x8827) Short=40 @ 196, 'EXIF ExposureProgram': (0x8822) Short=Program Normal @ 184, 'EXIF FocalLength': (0x920A) Ratio=5/18 @ 636, 'IFD 2 Tag 0x0277': (0x0277) Byte=[] @ 86061318, 'Image DateTime': (0x0132) ASCII=2018:09:13 16:14:52 @ 130, 'EXIF ComponentsConfiguration': (0x9101) Undefined=YCbCr @ 244, 'EXIF ExposureBiasValue': (0x9204) Signed Ratio=100/0 @ 620, 'IFD 2 Tag 0x0600': (0x0600) Byte=[] @ 256, 'Image ResolutionUnit': (0x0128) Short=Pixels/Inch @ 42, 'EXIF DateTimeDigitized': (0x9004) ASCII=:52 @ 576, 'EXIF Flash': (0x9209) Short=Flash did not fire @ 328, 'EXIF MeteringMode': (0x9207) Short=CenterWeightedAverage @ 316, 'EXIF ExposureTime': (0x829A) Ratio=0 @ 540, 'EXIF MaxApertureValue': (0x9205) Ratio=2/37 @ 628, 'EXIF BrightnessValue': (0x9203) Signed Ratio=100/441 @ 612, 'IFD 2 ImageWidth': (0x0100) Byte=[] @ 256, 'IFD 2 Tag 0x0301': (0x0301) ASCII= @ 1057027566, 'IFD 2 JPEGProc': (0x0200) ASCII= @ 256, 'EXIF DateTimeOriginal': (0x9003) ASCII= @ 556, 'Image Software': (0x0131) ASCII=G610FDXU1BRB3 @ 116, 'Image YCbCrPositioning': (0x0213) Short=Centered @ 78, 'EXIF ShutterSpeedValue': (0x9201) Signed Ratio=122070592/83 @ 596, 'EXIF MakerNote': (0x927C) Undefined=[115, 97, 109, 115, 117, 110, 103, 0, 83, 77, 45, 71, 54, 49, 48, 70, 0, 0, 71, 54, ... ] @ 98, 'Image Model': (0x0110) ASCII=SM-G610F @ 106, 'EXIF ExifVersion': (0x9000) Undefined=0220 @ 208, 'EXIF ApertureValue': (0x9202) Ratio=20/37 @ 604, 'EXIF FNumber': (0x829D) Ratio=100/19 @ 548, 'IFD 2 Tag 0x9600': (0x9600) Short=[] @ 1937075815, 'Image ExifOffset': (0x8769) Long=150 @ 90, 'Image Make': (0x010F) ASCII=samsung @ 98}
Tue May  9 15:12:24 -03 2023

2023-05-09-151138

nickdimitroff commented 8 months ago

This appears to be caused by a blow-up in _process_field https://github.com/ianare/exif-py/blob/develop/exifread/classes.py#L185 The count value passed from _process_tag for the MakerNote field is huge, 1006641184. https://github.com/ianare/exif-py/blob/develop/exifread/classes.py#L227 issue already noted as potentially malformed image or bug in s2n https://github.com/ianare/exif-py/blob/develop/exifread/classes.py#L148