Add LimitNumTags and LimitTagSize

With some senbible defaults.

This is a safeguard against abnormally large image metadata.

Note that there's already a Timeout option that can be set if you want to have the processing fail if it takes too long.

Author: bep

gen/testdata_exiftool/images/largeexif.png.json

@@ -0,0 +1,14 @@
+[{
+  "SourceFile": "../testdata/images/largeexif.png",
+  "ExifTool": {
+    "ExifToolVersion": 12.76,
+    "Warning": "Processing TIFF-like data after unknown 16-byte header"
+  },
+  "File": {
+    "FileName": "largeexif.png",
+    "Directory": "../testdata/images",
+    "FileSize": 1310710,
+    "FilePermissions": 100644,
+    "ExifByteOrder": "MM"
+  }
+}]

imagemeta.go

@@ -113,6 +113,28 @@ func Decode(opts Options) (err error) {
 		}
 	}
 
+	const (
+		defaultLimitNumTags = 5000
+		defaultLimitTagSize = 10000
+	)
+
+	if opts.LimitNumTags == 0 {
+		opts.LimitNumTags = defaultLimitNumTags
+	}
+	if opts.LimitTagSize == 0 {
+		opts.LimitTagSize = defaultLimitTagSize
+	}
+
+	var tagCount uint32
+	shouldHandleTag := opts.ShouldHandleTag
+	opts.ShouldHandleTag = func(ti TagInfo) bool {
+		tagCount++
+		if tagCount > opts.LimitNumTags {
+			panic(ErrStopWalking)
+		}
+		return shouldHandleTag(ti)
+	}
+
 	if opts.HandleTag == nil {
 		opts.HandleTag = func(TagInfo) error { return nil }
 	}
@@ -246,6 +268,16 @@ type Options struct {
 	// Mostly useful for testing.
 	// If set to 0, the decoder will not time out.
 	Timeout time.Duration
+
+	// LimitNumTags is the maximum number of tags to read.
+	// Default value is 5000.
+	LimitNumTags uint32
+
+	// LimitTagSize is the maximum size in bytes of a tag value to read.
+	// Tag values larger than this will be skipped without notice.
+	// Note that this limit is not relevant for the XMP source.
+	// Default value is 10000.
+	LimitTagSize uint32
 }
 
 // TagInfo contains information about a tag.

imagemeta_test.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"maps"
 	"math"
 	"math/rand"
 	"os"
@@ -23,7 +24,6 @@ import (
 
 	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp"
-	"maps"
 )
 
 func TestDecodeAllImageFormats(t *testing.T) {

metadecoder_exif.go

@@ -383,7 +383,7 @@ func (e *metaDecoderEXIF) decodeTag(namespace string) error {
 	}
 
 	// Below is EXIF
-	if !e.opts.Sources.Has(EXIF) {
+	if !e.opts.Sources.Has(EXIF) || valLen > e.opts.LimitTagSize {
 		e.skip(4)
 		return nil
 	}

metadecoder_iptc.go

@@ -273,7 +273,7 @@ func (e *metaDecoderIPTC) decodeRecord(stringSlices map[TagInfo][]string) error
 		Namespace: recordDef.RecordName,
 	}
 
-	if !e.opts.ShouldHandleTag(ti) {
+	if recordSize > uint16(e.opts.LimitTagSize) || !e.opts.ShouldHandleTag(ti) {
 		e.skip(int64(recordSize))
 		return nil
 	}