exiv2 -i X: deeply nested XMP sidecar triggers stack overflow in RDF parser

[Rev-ice]

Summary

I found a stack overflow in the XMP sidecar import path. With exiv2 -i X, a deeply nested XMP sidecar causes repeated recursion in RDF_PropertyElementList() until the process stack is exhausted.

This was observed on a development build reporting:

exiv2 1.00.0.9

Environment:

macOS ARM64
Apple Clang 17.0.0
ASAN_OPTIONS=abort_on_error=1:detect_leaks=0
ulimit -s 256

Reproducer

The input pair is a JPEG file with a matching .xmp sidecar containing deeply nested rdf:parseType="Resource" elements.

ulimit -s 256
ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 \
./build/bin/exiv2 -i X hunt_work/xmpdeep_990.jpg

Observed ASan output

ERROR: AddressSanitizer: stack-overflow
#3 AddChildNode ParseRDF.cpp:405
#4 RDF_PropertyElementList ParseRDF.cpp:795
#5 RDF_PropertyElementList ParseRDF.cpp:795
SUMMARY: AddressSanitizer: stack-overflow ParseRDF.cpp:405 in AddChildNode

Possible root cause

RDF_PropertyElementList() appears to recurse without a depth limit while parsing nested RDF resource nodes.

Suggested fix

Add a recursion depth limit to RDF_PropertyElementList() and return a parse error when nested RDF resources exceed that limit.

Release impact question

I have only confirmed this on the development build above. Could maintainers confirm whether an official release is affected? If an official release is affected, I can provide the minimized input pair privately if preferred.

[Rev-ice]

Supplemental PoC package attached directly in this comment:

exiv2_xmp_recursion_poc.zip

The zip contains:

• xmpdeep_990.jpg
• xmpdeep_990.jpg.xmp
• REPRO.md

Expected SHA-256 of the zip:

e7826a72fd872e570878aca02332a9fc3d534b82006cace25725ac6ff92f9c05  exiv2_xmp_recursion_poc.zip

The two input files need to stay next to each other so that exiv2 -i X xmpdeep_990.jpg imports the sidecar automatically.