Skip to content

check profile length before reading header in GetIPTCStream#8829

Merged
dlemstra merged 1 commit into
ImageMagick:mainfrom
dxbjavid:iptc-stream-length-check
Jun 29, 2026
Merged

check profile length before reading header in GetIPTCStream#8829
dlemstra merged 1 commit into
ImageMagick:mainfrom
dxbjavid:iptc-stream-length-check

Conversation

@dxbjavid

Copy link
Copy Markdown
Contributor

Prerequisites

  • I have written a descriptive pull-request title
  • I have verified that there are no overlapping pull-requests open
  • I have verified that I am following the existing coding patterns and practices as demonstrated in the repository.

Description

GetIPTCStream in coders/meta.c reads the first two bytes of the 8bim/iptc profile (*p and *(p+1)) before it has checked that the profile actually holds two bytes, so a profile shorter than that is read past its declared length. The profile content comes from the input image, and the read is reached when writing it out through the iptc, iptctext or 8bimtext coders. Every later read in the same function is already guarded by an extent check (for instance if (extent < 4) break before the four-byte tag length), so this just adds the matching guard for that first read and returns zero when there is nothing to parse, which leaves valid profiles untouched.

@dlemstra dlemstra merged commit 0d37a67 into ImageMagick:main Jun 29, 2026
13 checks passed
@dxbjavid

Copy link
Copy Markdown
Contributor Author

Thank you for reviewing and merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants