ExifReader Improper Handling of Compressed Data Vulnerability Allowing Memory Exhaustion

A vulnerability exists in the ExifReader package, specifically in versions prior to 4.39.0, related to the improper management of highly compressed data. This issue arises because the library decompresses PNG zTXt metadata without applying a maximum limit on the size of the decompressed output. When asynchronous parsing is activated, a specially crafted PNG file with a heavily compressed zTXt chunk can lead ExifReader to generate an excessively large Comment value in memory, potentially causing memory exhaustion.

Impact

Exploitation of this vulnerability can lead to excessive memory consumption, causing the application to slow down or become unresponsive.

Reproduction

The vulnerability can be reproduced by using the ExifReader library to load a PNG file that contains a zTXt chunk with highly compressed data. This can be done by creating a PNG file that exploits the lack of a decompression size limit, such as by using a deflate compression level of 9. When the file is loaded with ExifReader, the Comment value will be disproportionately large, demonstrating the vulnerability.

Remediation

Users are advised to upgrade ExifReader to version 4.39.0 or higher.