[Bug]: HEIC Item Length Triggers Unbounded Read #246
Description
Summary
HEICExifFinder.find_exif() trusts HEIC iloc metadata and forwards attacker-controlled item_length values straight into
fh.read().
poc:
>>> import resource
>>> from pathlib import Path
>>> from exifread.core.heic import HEICExifFinder
>>> resource.setrlimit(resource.RLIMIT_AS, (512 * 1024 * 1024,) * 2)
>>> fh = Path("heic_OverRead.heic").open("rb")
>>> HEICExifFinder(fh).find_exif()Traceback:
MemoryError: read request exceeded 512 MiB cap