Limit the byte buffer to 10 MB

bep · bep · commit ee0de9b029f4 · 2025-04-07T12:31:01.000+02:00
Which should be plenty for image metadata.
diff --git a/imagemeta.go b/imagemeta.go
@@ -215,8 +215,8 @@ func Decode(opts Options) (err error) {
 		go func() {
 			defer func() {
 				err2 := errFromRecover(recover())
-				if err == nil {
-					err = err2
+				if err2 != nil {
+					errc <- err2
 				}
 			}()
 			errc <- dec.decode()
diff --git a/imagemeta_test.go b/imagemeta_test.go
@@ -460,6 +460,7 @@ func TestLatLong(t *testing.T) {
 	c := qt.New(t)
 
 	tags, err := extractTags(t, "sunrise.jpg", imagemeta.EXIF)
+	c.Assert(err, qt.IsNil)
 
 	lat, long, err := tags.GetLatLong()
 	c.Assert(err, qt.IsNil)
@@ -478,6 +479,7 @@ func TestGetDateTime(t *testing.T) {
 	c := qt.New(t)
 
 	tags, err := extractTags(t, "sunrise.jpg", imagemeta.EXIF)
+	c.Assert(err, qt.IsNil)
 	d, err := tags.GetDateTime()
 	c.Assert(err, qt.IsNil)
 	c.Assert(d.Format("2006-01-02"), qt.Equals, "2017-10-27")
diff --git a/io.go b/io.go
@@ -90,9 +90,15 @@ func (e *streamReader) otherByteOrder() binary.ByteOrder {
 	return binary.BigEndian
 }
 
+// 10 MB should be plenty for image metadata.
+const maxBufSize = 10 * 1024 * 1024
+
 // bufferedReader reads length bytes from the stream and returns a ReaderCloser.
 // It's important to call Close on the ReaderCloser when done.
 func (e *streamReader) bufferedReader(length int64) (readerCloser, error) {
+	if length > maxBufSize {
+		return nil, newInvalidFormatErrorf("length %d exceeds max %d", length, maxBufSize)
+	}
 	if length == 0 {
 		return struct {
 			io.ReadSeeker
