From 02b3527608e6b9ea43215a45fa7ff2535410885e Mon Sep 17 00:00:00 2001
From: Mattias Wadman <mattias.wadman@gmail.com>
Date: Fri, 3 Nov 2023 16:12:47 +0100
Subject: [PATCH] exif,tiff: Handle broken last next ifd offset by treating it
 as end marker

---
 format/riff/testdata/xmp_exif.fqtest | 4 ++--
 format/tiff/testdata/4x4.fqtest      | 2 +-
 format/tiff/tiff.go                  | 5 +++--
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/format/riff/testdata/xmp_exif.fqtest b/format/riff/testdata/xmp_exif.fqtest
index 0d8151e2..3e7caef4 100644
--- a/format/riff/testdata/xmp_exif.fqtest
+++ b/format/riff/testdata/xmp_exif.fqtest
@@ -148,9 +148,9 @@ $ fq -d webp dv xmp_exif.webp
 0x0f0|                              05 00 00 00      |          ....  |                    value_offset: 83886080 0xfa-0xfe (4)
      |                                               |                |                    values[0:1]: 0xfa-0xfc (2)
 0x0f0|                              05 00            |          ..    |                      [0]: 1280 value 0xfa-0xfc (2)
-0x0f0|                                          00 00|              ..|                next_ifd: 0 0xfe-0x102 (4)
+0x0f0|                                          00 00|              ..|                next_ifd: 0x0 0xfe-0x102 (4)
 0x100|00 00                                          |..              |
-0x0a0|00 00 00 00                                    |....            |          next_ifd: 0 0xa0-0xa4 (4)
+0x0a0|00 00 00 00                                    |....            |          next_ifd: 0x0 0xa0-0xa4 (4)
      |                                               |                |    [3]{}: chunk 0x102-0xd02 (3072)
 0x100|      58 4d 50 20                              |  XMP           |      id: "XMP " 0x102-0x106 (4)
 0x100|                  f7 0b 00 00                  |      ....      |      size: 3063 0x106-0x10a (4)
diff --git a/format/tiff/testdata/4x4.fqtest b/format/tiff/testdata/4x4.fqtest
index e8f27005..5f5e290d 100644
--- a/format/tiff/testdata/4x4.fqtest
+++ b/format/tiff/testdata/4x4.fqtest
@@ -121,5 +121,5 @@ $ fq -d tiff dv 4x4.tiff
 0x0b0|      01 00 00 00                              |  ....          |          value_offset: 1 0xb2-0xb6 (4)
      |                                               |                |          values[0:1]: 0xb2-0xb4 (2)
 0x0b0|      01 00                                    |  ..            |            [0]: 1 value 0xb2-0xb4 (2)
-0x0b0|                  00 00 00 00                  |      ....      |      next_ifd: 0 0xb6-0xba (4)
+0x0b0|                  00 00 00 00                  |      ....      |      next_ifd: 0x0 0xb6-0xba (4)
 0x0c0|         00                                    |   .            |  gap0: raw bits 0xc3-0xc4 (1)
diff --git a/format/tiff/tiff.go b/format/tiff/tiff.go
index f8c37382..e10a0364 100644
--- a/format/tiff/tiff.go
+++ b/format/tiff/tiff.go
@@ -196,7 +196,7 @@ func decodeIfd(d *decode.D, s *strips, tagNames scalar.UintMapSymStr) int64 {
 			}
 		})
 
-		nextIfdOffset = int64(d.FieldU32("next_ifd"))
+		nextIfdOffset = int64(d.FieldU32("next_ifd", scalar.UintHex))
 	})
 
 	return nextIfdOffset
@@ -226,7 +226,8 @@ func tiffDecode(d *decode.D) any {
 	ifdSeen := map[int64]struct{}{}
 
 	d.FieldArray("ifds", func(d *decode.D) {
-		for ifdOffset != 0 {
+		// sanity check offset
+		for ifdOffset > 0 && ifdOffset*8 < d.Len() {
 			if _, ok := ifdSeen[ifdOffset]; ok {
 				d.Fatalf("ifd loop detected for %d", ifdOffset)
 			}