From a60f0a38ce79dfa711a6272ff32349ceb8185764 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Sun, 11 Feb 2024 15:39:42 +0000 Subject: [PATCH] Throw exception if the recursion goes too deep. --- include/exiv2/bmffimage.hpp | 3 ++- src/bmffimage.cpp | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/include/exiv2/bmffimage.hpp b/include/exiv2/bmffimage.hpp index b634953925..786f57201b 100644 --- a/include/exiv2/bmffimage.hpp +++ b/include/exiv2/bmffimage.hpp @@ -56,7 +56,7 @@ class EXIV2API BmffImage : public Image { @param create Specifies if an existing image should be read (false) or if a new file should be created (true). */ - BmffImage(BasicIo::UniquePtr io, bool create); + BmffImage(BasicIo::UniquePtr io, bool create, size_t max_box_depth = 1000); //@} //@{ @@ -138,6 +138,7 @@ class EXIV2API BmffImage : public Image { uint16_t xmpID_{0}; std::map ilocs_; bool bReadMetadata_{false}; + const size_t max_box_depth_; //@} /*! diff --git a/src/bmffimage.cpp b/src/bmffimage.cpp index 38532dcc7a..67d9cd1427 100644 --- a/src/bmffimage.cpp +++ b/src/bmffimage.cpp @@ -78,8 +78,8 @@ std::string Iloc::toString() const { return Internal::stringFormat("ID = %u from,length = %u,%u", ID_, start_, length_); } -BmffImage::BmffImage(BasicIo::UniquePtr io, bool /* create */) : - Image(ImageType::bmff, mdExif | mdIptc | mdXmp, std::move(io)) { +BmffImage::BmffImage(BasicIo::UniquePtr io, bool /* create */, size_t max_box_depth) : + Image(ImageType::bmff, mdExif | mdIptc | mdXmp, std::move(io)), max_box_depth_(max_box_depth) { } // BmffImage::BmffImage std::string BmffImage::toAscii(uint32_t n) { @@ -237,7 +237,7 @@ uint64_t BmffImage::boxHandler(std::ostream& out /* = std::cout*/, Exiv2::PrintS // never visit a box twice! if (depth == 0) visits_.clear(); - if (visits_.find(address) != visits_.end() || visits_.size() > visits_max_) { + if (visits_.find(address) != visits_.end() || visits_.size() > visits_max_ || depth >= max_box_depth_) { throw Error(ErrorCode::kerCorruptedMetadata); } visits_.insert(address);