Exiv2 / exiv2

OSS-Fuzz has found a "timeout" issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66957
It's not a security bug, because it's not reproducible in Exiv2. It only affects the fuzz target that we run in OSS-Fuzz.

To reproduce the issue, build the fuzz target and then run it like this:

./bin/fuzz-read-print-write poc.jpg

poc file:

It runs for a long time, because these calls to md.print() are generating very large strings:

exiv2/fuzz/fuzz-read-print-write.cpp

Lines 22 to 26 in 77915ad

    
           image->readMetadata(); 
        
           for (auto& md : image->exifData()) { 
        
             md.print(); 
        
             md.print(&image->exifData()); 
        
           }

The reason why Exiv2 isn't affected is because it has this code:

exiv2/app/actions.cpp

Lines 453 to 455 in 77915ad

    
           if (Params::instance().unknown_ && md.tagName().substr(0, 2) == "0x") { 
        
             return false; 
        
           }

In other words, Exiv2 doesn't print anything if the tag name starts with "0x". I could easily fix the fuzz target by adding similar code, but I'd quite like to understand what that code is doing. Does anybody know the reason for it?

	image->readMetadata();
	for (auto& md : image->exifData()) {
	md.print();
	md.print(&image->exifData());
	}

	if (Params::instance().unknown_ && md.tagName().substr(0, 2) == "0x") {
	return false;
	}

Timeout in OSS-Fuzz