Break if there are more then 65534 IFD directories, fixes #1897

brianpopow · brianpopow · commit ae84ff67e9f6 · 2021-12-13T16:45:40.000+01:00
diff --git a/src/ImageSharp/Formats/Tiff/Ifd/DirectoryReader.cs b/src/ImageSharp/Formats/Tiff/Ifd/DirectoryReader.cs
@@ -18,9 +18,11 @@ internal class DirectoryReader
 
         private uint nextIfdOffset;
 
+        private const int DirectoryMax = 65534;
+
         // used for sequential read big values (actual for multiframe big files)
         // todo: different tags can link to the same data (stream offset) - investigate
-        private readonly SortedList<uint, Action> lazyLoaders = new SortedList<uint, Action>(new DuplicateKeyComparer<uint>());
+        private readonly SortedList<uint, Action> lazyLoaders = new(new DuplicateKeyComparer<uint>());
 
         public DirectoryReader(Stream stream) => this.stream = stream;
 
@@ -48,7 +50,8 @@ private static ByteOrder ReadByteOrder(Stream stream)
             {
                 return ByteOrder.LittleEndian;
             }
-            else if (headerBytes[0] == TiffConstants.ByteOrderBigEndian && headerBytes[1] == TiffConstants.ByteOrderBigEndian)
+
+            if (headerBytes[0] == TiffConstants.ByteOrderBigEndian && headerBytes[1] == TiffConstants.ByteOrderBigEndian)
             {
                 return ByteOrder.BigEndian;
             }
@@ -67,6 +70,11 @@ private IEnumerable<ExifProfile> ReadIfds()
                 this.nextIfdOffset = reader.NextIfdOffset;
 
                 readers.Add(reader);
+
+                if (readers.Count >= DirectoryMax)
+                {
+                    TiffThrowHelper.ThrowImageFormatException("TIFF image contains too many directories");
+                }
             }
 
             // Sequential reading big values.
diff --git a/src/ImageSharp/Formats/Tiff/Ifd/EntryReader.cs b/src/ImageSharp/Formats/Tiff/Ifd/EntryReader.cs
@@ -23,7 +23,7 @@ public EntryReader(Stream stream, ByteOrder byteOrder, uint ifdOffset, SortedLis
             this.lazyLoaders = lazyLoaders;
         }
 
-        public List<IExifValue> Values { get; } = new List<IExifValue>();
+        public List<IExifValue> Values { get; } = new();
 
         public uint NextIfdOffset { get; private set; }
 

Original file line number	Diff line number	Diff line change
`@@ -18,9 +18,11 @@ internal class DirectoryReader`
`18`	`18`
`19`	`19`	`private uint nextIfdOffset;`
`20`	`20`
	`21`	`+ private const int DirectoryMax = 65534;`
	`22`	`+`
`21`	`23`	`// used for sequential read big values (actual for multiframe big files)`
`22`	`24`	`// todo: different tags can link to the same data (stream offset) - investigate`
`23`		`- private readonly SortedList<uint, Action> lazyLoaders = new SortedList<uint, Action>(new DuplicateKeyComparer<uint>());`
	`25`	`+ private readonly SortedList<uint, Action> lazyLoaders = new(new DuplicateKeyComparer<uint>());`
`24`	`26`
`25`	`27`	`public DirectoryReader(Stream stream) => this.stream = stream;`
`26`	`28`
`@@ -48,7 +50,8 @@ private static ByteOrder ReadByteOrder(Stream stream)`
`48`	`50`	`{`
`49`	`51`	`return ByteOrder.LittleEndian;`
`50`	`52`	`}`
`51`		`- else if (headerBytes[0] == TiffConstants.ByteOrderBigEndian && headerBytes[1] == TiffConstants.ByteOrderBigEndian)`
	`53`	`+`
	`54`	`+ if (headerBytes[0] == TiffConstants.ByteOrderBigEndian && headerBytes[1] == TiffConstants.ByteOrderBigEndian)`
`52`	`55`	`{`
`53`	`56`	`return ByteOrder.BigEndian;`
`54`	`57`	`}`
`@@ -67,6 +70,11 @@ private IEnumerable<ExifProfile> ReadIfds()`
`67`	`70`	`this.nextIfdOffset = reader.NextIfdOffset;`
`68`	`71`
`69`	`72`	`readers.Add(reader);`
	`73`	`+`
	`74`	`+ if (readers.Count >= DirectoryMax)`
	`75`	`+ {`
	`76`	`+ TiffThrowHelper.ThrowImageFormatException("TIFF image contains too many directories");`
	`77`	`+ }`
`70`	`78`	`}`
`71`	`79`
`72`	`80`	`// Sequential reading big values.`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ public EntryReader(Stream stream, ByteOrder byteOrder, uint ifdOffset, SortedLis`
`23`	`23`	`this.lazyLoaders = lazyLoaders;`
`24`	`24`	`}`
`25`	`25`
`26`		`- public List<IExifValue> Values { get; } = new List<IExifValue>();`
	`26`	`+ public List<IExifValue> Values { get; } = new();`
`27`	`27`
`28`	`28`	`public uint NextIfdOffset { get; private set; }`
`29`	`29`