Corrupted image causes huge resource consumption

[CrimsonGlory]

The following crafted image file causes latest version of exifread (3.0.0) to get into an infinite loop which starts using more memory until there is a MemoryError or Out of Memory. It was tested with:

• Linux + python 3.5.2 + exifread 3.0.0
• Linux + python 2.7 + exifread 2.3.2

File:
https://www.mediafire.com/file/1nhu3axm8z23l5q/exifread_bug_file/file

To reproduce:

user@host:$ pip3 freeze | grep -i exifread
ExifRead==3.0.0
user@host:$ python3
Python 3.5.2 (default, Jan 26 2021, 13:30:48)
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import exifread
>>> with open("exif_bug_file", 'rb') as file_handle:
...     exifread.process_file(file_handle)
...

EDIT: my bad. It is not an infinite loop. Takes more than 30 minutes, around 8GB of memory, but it does finish. It will edit the title and leave the issue open just in case.

user@host:$ date; python3 test.py ; date
Tue May  9 14:34:26 -03 2023
{'EXIF ISOSpeedRatings': (0x8827) Short=40 @ 196, 'EXIF ExposureProgram': (0x8822) Short=Program Normal @ 184, 'EXIF FocalLength': (0x920A) Ratio=5/18 @ 636, 'IFD 2 Tag 0x0277': (0x0277) Byte=[] @ 86061318, 'Image DateTime': (0x0132) ASCII=2018:09:13 16:14:52 @ 130, 'EXIF ComponentsConfiguration': (0x9101) Undefined=YCbCr @ 244, 'EXIF ExposureBiasValue': (0x9204) Signed Ratio=100/0 @ 620, 'IFD 2 Tag 0x0600': (0x0600) Byte=[] @ 256, 'Image ResolutionUnit': (0x0128) Short=Pixels/Inch @ 42, 'EXIF DateTimeDigitized': (0x9004) ASCII=:52 @ 576, 'EXIF Flash': (0x9209) Short=Flash did not fire @ 328, 'EXIF MeteringMode': (0x9207) Short=CenterWeightedAverage @ 316, 'EXIF ExposureTime': (0x829A) Ratio=0 @ 540, 'EXIF MaxApertureValue': (0x9205) Ratio=2/37 @ 628, 'EXIF BrightnessValue': (0x9203) Signed Ratio=100/441 @ 612, 'IFD 2 ImageWidth': (0x0100) Byte=[] @ 256, 'IFD 2 Tag 0x0301': (0x0301) ASCII= @ 1057027566, 'IFD 2 JPEGProc': (0x0200) ASCII= @ 256, 'EXIF DateTimeOriginal': (0x9003) ASCII= @ 556, 'Image Software': (0x0131) ASCII=G610FDXU1BRB3 @ 116, 'Image YCbCrPositioning': (0x0213) Short=Centered @ 78, 'EXIF ShutterSpeedValue': (0x9201) Signed Ratio=122070592/83 @ 596, 'EXIF MakerNote': (0x927C) Undefined=[115, 97, 109, 115, 117, 110, 103, 0, 83, 77, 45, 71, 54, 49, 48, 70, 0, 0, 71, 54, ... ] @ 98, 'Image Model': (0x0110) ASCII=SM-G610F @ 106, 'EXIF ExifVersion': (0x9000) Undefined=0220 @ 208, 'EXIF ApertureValue': (0x9202) Ratio=20/37 @ 604, 'EXIF FNumber': (0x829D) Ratio=100/19 @ 548, 'IFD 2 Tag 0x9600': (0x9600) Short=[] @ 1937075815, 'Image ExifOffset': (0x8769) Long=150 @ 90, 'Image Make': (0x010F) ASCII=samsung @ 98}
Tue May  9 15:12:24 -03 2023

[nickdimitroff]

This appears to be caused by a blow-up in _process_field
https://github.com/ianare/exif-py/blob/develop/exifread/classes.py#L185
The count value passed from _process_tag for the MakerNote field is huge, 1006641184.
https://github.com/ianare/exif-py/blob/develop/exifread/classes.py#L227
issue already noted as potentially malformed image or bug in s2n
https://github.com/ianare/exif-py/blob/develop/exifread/classes.py#L148