Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cyclic directory references in EXIF data cause StackOverflowErrors #477

Closed
jabshire opened this issue Mar 4, 2019 · 4 comments
Closed

Cyclic directory references in EXIF data cause StackOverflowErrors #477

jabshire opened this issue Mar 4, 2019 · 4 comments
Assignees
@haraldk
Labels
Confirmed bug Trouble-shooting

Comments

@jabshire
Copy link

jabshire commented Mar 4, 2019
edited

When you give TwelveMonkeys a JPEG with an EXIF directory that points to itself, you get a StackOverflowError:

    at com.twelvemonkeys.imageio.metadata.exif.EXIFReader.readValue(EXIFReader.java:344) ~[TwelveMonkeys-imageio-metadata-3.3.2.jar:?]
    at com.twelvemonkeys.imageio.metadata.exif.EXIFReader.readValueAt(EXIFReader.java:287) ~[TwelveMonkeys-imageio-metadata-3.3.2.jar:?]
    at com.twelvemonkeys.imageio.metadata.exif.EXIFReader.readEntry(EXIFReader.java:277) ~[TwelveMonkeys-imageio-metadata-3.3.2.jar:?]
    at com.twelvemonkeys.imageio.metadata.exif.EXIFReader.readDirectory(EXIFReader.java:109) ~[TwelveMonkeys-imageio-metadata-3.3.2.jar:?]
    at com.twelvemonkeys.imageio.metadata.exif.EXIFReader.readDirectory(EXIFReader.java:133) ~[TwelveMonkeys-imageio-metadata-3.3.2.jar:?]  (this one repeats until you StackOverflow)

This is line 133:
CompoundDirectory next = (CompoundDirectory) readDirectory(pInput, nextOffset, true);

You can see where another library solved this same issue: https://github.com/drewnoakes/metadata-extractor/blob/master/Source/com/drew/imaging/tiff/TiffReader.java#L112-L118

This is on 3.3.2, which is an old version. But if I upgrade locally to the latest version, it just hangs instead of stack overflowing.
@haraldk
Copy link
Owner

haraldk commented Mar 5, 2019
edited

Hi Jeff,

Thanks for reporting!

I just made some change to the TIFF parsing that might help in this case (we no longer parse arbitrary nested IFDs), but I think the case may still happen for TIFF SubIFDs. This fix is currently only in my local branch, not in master or in the released 3.4.1. Hope to push it soon. Possibly related: #469

Do you happen to have a TIFF structure (or a JPEG containing an Exif segment) that has this problem, it would be very helpful if you could attach the file to the issue.

Best regards,

--
Harald K

@jabshire
Copy link
Author

jabshire commented Mar 5, 2019

My guess for where it's infinite looping in the new version is https://github.com/haraldk/TwelveMonkeys/blob/master/imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/tiff/TIFFReader.java#L117-L128

Sample photo which breaks: http://www.danalog.org/images/exif-loop.jpg

@haraldk
Copy link
Owner

haraldk commented Mar 5, 2019

Thanks!

I realized the fixed version is only local, so it isn't in the master branch yet, sorry...

But I'll look into it!

--
Harald K

@haraldk haraldk self-assigned this Mar 22, 2019
haraldk added a commit that referenced this issue Aug 8, 2019
@haraldk
#477: Avoid cyclic loops in IFDs.
8480c92
@haraldk
Copy link
Owner

haraldk commented Aug 8, 2019

Finally had some time to look at this.

Fixed.

@haraldk haraldk closed this as completed Aug 8, 2019
haraldk added a commit that referenced this issue Aug 9, 2019
@haraldk
#477: Better tests to for cyclic loops in IFDs.
b0b5de5
haraldk added a commit that referenced this issue Aug 9, 2019
@haraldk
#477: Avoid cyclic loops in IFDs.
0e41d4a 
(cherry picked from commit 8480c92)
haraldk added a commit that referenced this issue Aug 9, 2019
@haraldk
#477: Better tests to for cyclic loops in IFDs.
59c6c18 
(cherry picked from commit b0b5de5)
@petervwyatt petervwyatt mentioned this issue Mar 23, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@haraldk haraldk

Labels
Confirmed bug Trouble-shooting
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haraldk @jabshire