drewnoakes/metadata-extractor

Better handle large memory usage from PNG decompression bombs

Open

#379 opened on Nov 19, 2018

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Java (2,411 stars) (470 forks)batch import
format-pnghelp wantedimage-queue

Description

PNG makes use of deflate allowing potentially a lot of data packed into a small image file.

This especially can be exploited in the ancillary chunks where repeated bytes compress very well. LibPNG has an article around it here

One suggestion is to allow memory limits on processing some of the ancillary chunks like zTXt.

Maybe there is a way to limit this in the metadata extractor project?

for e.g in PngMetadataReader currently it inflates and reads all bytes to one giant buffer (via StreamUtil.readAllBytes) without first considering how big this buffer might be. This allows specially crafted images to potentially cause OOM errors on any project using the metadata extractor.

else if (chunkType.equals(PngChunkType.zTXt)) {
   ....
                    textBytes = StreamUtil.readAllBytes(new InflaterInputStream(new ByteArrayInputStream(bytes, bytes.length - bytesLeft, bytesLeft)));
                } catch(java.util.zip.ZipException zex) {
                    textBytes = null;
                    PngDirectory directory = new PngDirectory(PngChunkType.zTXt);
                    directory.addError(String.format("Exception decompressing PNG zTXt chunk with keyword \"%s\": %s", keyword, zex.getMessage()));
                    metadata.addDirectory(directory);
                }
          ....

Here is an example image below, which is only 700 KB but if the zTxt chunks are decompressed will come to around 250 MB. largeztxtchunk

Contributor guide

Tech stack
java
Domain
securityperformance
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Javabasic understanding of PNG formatfamiliarity with ZipInputStream
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Investigate the PngMetadataReader class, specifically the zTXt chunk handling. Modify the code to limit the decompressed buffer size, perhaps by using a custom InputStream that checks size before reading all bytes. Also consider applying similar limits to other ancillary chunks like iTXt and tEXt. Test with the provided example image to verify the fix prevents OOM.