add a few guards around reading ICC profile data

Johannes Bildstein · Johannes Bildstein · commit 800ee0985fb0 · 2018-05-22T22:32:05.000+02:00
diff --git a/src/ImageSharp/MetaData/Profiles/ICC/DataReader/IccDataReader.cs b/src/ImageSharp/MetaData/Profiles/ICC/DataReader/IccDataReader.cs
@@ -1,7 +1,6 @@
 ﻿// Copyright (c) Six Labors and contributors.
 // Licensed under the Apache License, Version 2.0.
 
-using System;
 using System.Text;
 
 namespace SixLabors.ImageSharp.MetaData.Profiles.Icc
@@ -11,7 +10,6 @@ namespace SixLabors.ImageSharp.MetaData.Profiles.Icc
     /// </summary>
     internal sealed partial class IccDataReader
     {
-        private static readonly bool IsLittleEndian = BitConverter.IsLittleEndian;
         private static readonly Encoding AsciiEncoding = Encoding.GetEncoding("ASCII");
 
         /// <summary>
@@ -34,6 +32,14 @@ public IccDataReader(byte[] data)
             this.data = data;
         }
 
+        /// <summary>
+        /// Gets the length in bytes of the raw data
+        /// </summary>
+        public int DataLength
+        {
+            get { return this.data.Length; }
+        }
+
         /// <summary>
         /// Sets the reading position to the given value
         /// </summary>
diff --git a/src/ImageSharp/MetaData/Profiles/ICC/IccReader.cs b/src/ImageSharp/MetaData/Profiles/ICC/IccReader.cs
@@ -84,45 +84,66 @@ private IccProfileHeader ReadHeader(IccDataReader reader)
         private IccTagDataEntry[] ReadTagData(IccDataReader reader)
         {
             IccTagTableEntry[] tagTable = this.ReadTagTable(reader);
-            var entries = new IccTagDataEntry[tagTable.Length];
+            var entries = new List<IccTagDataEntry>(tagTable.Length);
             var store = new Dictionary<uint, IccTagDataEntry>();
-            for (int i = 0; i < tagTable.Length; i++)
+
+            foreach (IccTagTableEntry tag in tagTable)
             {
                 IccTagDataEntry entry;
-                uint offset = tagTable[i].Offset;
-                if (store.ContainsKey(offset))
+                if (store.ContainsKey(tag.Offset))
                 {
-                    entry = store[offset];
+                    entry = store[tag.Offset];
                 }
                 else
                 {
-                    entry = reader.ReadTagDataEntry(tagTable[i]);
-                    store.Add(offset, entry);
+                    try
+                    {
+                        entry = reader.ReadTagDataEntry(tag);
+                    }
+                    catch
+                    {
+                        // Ignore tags that could not be read
+                        continue;
+                    }
+
+                    store.Add(tag.Offset, entry);
                 }
 
-                entry.TagSignature = tagTable[i].Signature;
-                entries[i] = entry;
+                entry.TagSignature = tag.Signature;
+                entries.Add(entry);
             }
 
-            return entries;
+            return entries.ToArray();
         }
 
         private IccTagTableEntry[] ReadTagTable(IccDataReader reader)
         {
             reader.SetIndex(128);   // An ICC header is 128 bytes long
 
             uint tagCount = reader.ReadUInt32();
-            var table = new IccTagTableEntry[tagCount];
 
+            // Prevent creating huge arrays because of corrupt profiles.
+            // A normal profile usually has 5-15 entries
+            if (tagCount > 100)
+            {
+                return new IccTagTableEntry[0];
+            }
+
+            var table = new List<IccTagTableEntry>((int)tagCount);
             for (int i = 0; i < tagCount; i++)
             {
                 uint tagSignature = reader.ReadUInt32();
                 uint tagOffset = reader.ReadUInt32();
                 uint tagSize = reader.ReadUInt32();
-                table[i] = new IccTagTableEntry((IccProfileTag)tagSignature, tagOffset, tagSize);
+
+                // Exclude entries that have nonsense values and could cause exceptions further on
+                if (tagOffset < reader.DataLength && tagSize < reader.DataLength - 128)
+                {
+                    table.Add(new IccTagTableEntry((IccProfileTag)tagSignature, tagOffset, tagSize));
+                }
             }
 
-            return table;
+            return table.ToArray();
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -84,45 +84,66 @@ private IccProfileHeader ReadHeader(IccDataReader reader)`
`84`	`84`	`private IccTagDataEntry[] ReadTagData(IccDataReader reader)`
`85`	`85`	`{`
`86`	`86`	`IccTagTableEntry[] tagTable = this.ReadTagTable(reader);`
`87`		`- var entries = new IccTagDataEntry[tagTable.Length];`
	`87`	`+ var entries = new List<IccTagDataEntry>(tagTable.Length);`
`88`	`88`	`var store = new Dictionary<uint, IccTagDataEntry>();`
`89`		`- for (int i = 0; i < tagTable.Length; i++)`
	`89`	`+`
	`90`	`+ foreach (IccTagTableEntry tag in tagTable)`
`90`	`91`	`{`
`91`	`92`	`IccTagDataEntry entry;`
`92`		`- uint offset = tagTable[i].Offset;`
`93`		`- if (store.ContainsKey(offset))`
	`93`	`+ if (store.ContainsKey(tag.Offset))`
`94`	`94`	`{`
`95`		`- entry = store[offset];`
	`95`	`+ entry = store[tag.Offset];`
`96`	`96`	`}`
`97`	`97`	`else`
`98`	`98`	`{`
`99`		`- entry = reader.ReadTagDataEntry(tagTable[i]);`
`100`		`- store.Add(offset, entry);`
	`99`	`+ try`
	`100`	`+ {`
	`101`	`+ entry = reader.ReadTagDataEntry(tag);`
	`102`	`+ }`
	`103`	`+ catch`
	`104`	`+ {`
	`105`	`+ // Ignore tags that could not be read`
	`106`	`+ continue;`
	`107`	`+ }`
	`108`	`+`
	`109`	`+ store.Add(tag.Offset, entry);`
`101`	`110`	`}`
`102`	`111`
`103`		`- entry.TagSignature = tagTable[i].Signature;`
`104`		`- entries[i] = entry;`
	`112`	`+ entry.TagSignature = tag.Signature;`
	`113`	`+ entries.Add(entry);`
`105`	`114`	`}`
`106`	`115`
`107`		`- return entries;`
	`116`	`+ return entries.ToArray();`
`108`	`117`	`}`
`109`	`118`
`110`	`119`	`private IccTagTableEntry[] ReadTagTable(IccDataReader reader)`
`111`	`120`	`{`
`112`	`121`	`reader.SetIndex(128); // An ICC header is 128 bytes long`
`113`	`122`
`114`	`123`	`uint tagCount = reader.ReadUInt32();`
`115`		`- var table = new IccTagTableEntry[tagCount];`
`116`	`124`
	`125`	`+ // Prevent creating huge arrays because of corrupt profiles.`
	`126`	`+ // A normal profile usually has 5-15 entries`
	`127`	`+ if (tagCount > 100)`
	`128`	`+ {`
	`129`	`+ return new IccTagTableEntry[0];`
	`130`	`+ }`
	`131`	`+`
	`132`	`+ var table = new List<IccTagTableEntry>((int)tagCount);`
`117`	`133`	`for (int i = 0; i < tagCount; i++)`
`118`	`134`	`{`
`119`	`135`	`uint tagSignature = reader.ReadUInt32();`
`120`	`136`	`uint tagOffset = reader.ReadUInt32();`
`121`	`137`	`uint tagSize = reader.ReadUInt32();`
`122`		`- table[i] = new IccTagTableEntry((IccProfileTag)tagSignature, tagOffset, tagSize);`
	`138`	`+`
	`139`	`+ // Exclude entries that have nonsense values and could cause exceptions further on`
	`140`	`+ if (tagOffset < reader.DataLength && tagSize < reader.DataLength - 128)`
	`141`	`+ {`
	`142`	`+ table.Add(new IccTagTableEntry((IccProfileTag)tagSignature, tagOffset, tagSize));`
	`143`	`+ }`
`123`	`144`	`}`
`124`	`145`
`125`		`- return table;`
	`146`	`+ return table.ToArray();`
`126`	`147`	`}`
`127`	`148`	`}`
`128`	`149`	`}`