Skip to content

A OOM problem was found in metadata-extractor #640

New issue
New issue
Open
#643
Open
A OOM problem was found in metadata-extractor#640
#643
Labels
good-first-issueAn easy task suited to people new to the project and codehelp wanted
@Alex111998

Description

@Alex111998
Alex111998
opened on Dec 6, 2023

(Please include as much information as possible, and attach a sample image if possible.)
When I test the latest version(2.19.0) of metadata-extractor by CIFuzz,a OOM security issue was found, it caused when format a big number in method BmpHeaderDescriptor.formatHex(int, int), may cause denial of service issues in applications via the follow code:

pom

<dependency>
         <groupId>com.drewnoakes</groupId>
         <artifactId>metadata-extractor</artifactId>
         <version>2.19.0</version>
</dependency>

code

import com.drew.metadata.bmp.BmpHeaderDescriptor;

public class MetadataExtractor_OOM {

    public static void main(String[] args) {
        try {
            BmpHeaderDescriptor.formatHex(Integer.MAX_VALUE, Integer.MAX_VALUE);
        } catch (Exception e) {
        }
    }
}

image

Metadata

Metadata

Assignees

No one assigned

    Labels

    good-first-issueAn easy task suited to people new to the project and codehelp wanted

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions