Tiff: Add maximum IFD threshold

src/ImageSharp/Formats/Tiff/Ifd/DirectoryReader.cs

@@ -18,9 +18,11 @@ internal class DirectoryReader
 
         private uint nextIfdOffset;
 
+        private const int DirectoryMax = 65534;
+
         // used for sequential read big values (actual for multiframe big files)
         // todo: different tags can link to the same data (stream offset) - investigate
-        private readonly SortedList<uint, Action> lazyLoaders = new SortedList<uint, Action>(new DuplicateKeyComparer<uint>());
+        private readonly SortedList<uint, Action> lazyLoaders = new(new DuplicateKeyComparer<uint>());
 
         public DirectoryReader(Stream stream) => this.stream = stream;
 
@@ -48,7 +50,8 @@ private static ByteOrder ReadByteOrder(Stream stream)
             {
                 return ByteOrder.LittleEndian;
             }
-            else if (headerBytes[0] == TiffConstants.ByteOrderBigEndian && headerBytes[1] == TiffConstants.ByteOrderBigEndian)
+
+            if (headerBytes[0] == TiffConstants.ByteOrderBigEndian && headerBytes[1] == TiffConstants.ByteOrderBigEndian)
             {
                 return ByteOrder.BigEndian;
             }
@@ -67,6 +70,11 @@ private IEnumerable<ExifProfile> ReadIfds()
                 this.nextIfdOffset = reader.NextIfdOffset;
 
                 readers.Add(reader);
+
+                if (readers.Count >= DirectoryMax)
+                {
+                    TiffThrowHelper.ThrowImageFormatException("TIFF image contains too many directories");
+                }
             }
 
             // Sequential reading big values.

src/ImageSharp/Formats/Tiff/Ifd/EntryReader.cs

@@ -23,7 +23,7 @@ public EntryReader(Stream stream, ByteOrder byteOrder, uint ifdOffset, SortedLis
             this.lazyLoaders = lazyLoaders;
         }
 
-        public List<IExifValue> Values { get; } = new List<IExifValue>();
+        public List<IExifValue> Values { get; } = new();
 
         public uint NextIfdOffset { get; private set; }
 

tests/ImageSharp.Tests/Formats/Tiff/TiffDecoderTests.cs

@@ -380,6 +380,18 @@ public void TiffDecoder_CanDecode_PackBitsCompressed<TPixel>(TestImageProvider<T
         public void TiffDecoder_CanDecode_JpegCompressed<TPixel>(TestImageProvider<TPixel> provider)
             where TPixel : unmanaged, IPixel<TPixel> => TestTiffDecoder(provider, useExactComparer: false);
 
+        // https://github.com/SixLabors/ImageSharp/issues/1891
+        [Theory]
+        [WithFile(Issues1891, PixelTypes.Rgba32)]
+        public void TiffDecoder_ThrowsException_WithTooManyDirectories<TPixel>(TestImageProvider<TPixel> provider)
+            where TPixel : unmanaged, IPixel<TPixel> => Assert.Throws<ImageFormatException>(
+                () =>
+                {
+                    using (provider.GetImage(TiffDecoder))
+                    {
+                    }
+                });
+
         [Theory]
         [WithFileCollection(nameof(MultiframeTestImages), PixelTypes.Rgba32)]
         public void DecodeMultiframe<TPixel>(TestImageProvider<TPixel> provider)

tests/ImageSharp.Tests/TestImages.cs

@@ -840,6 +840,7 @@ public static class Tiff
             public const string Flower32BitGrayPredictorLittleEndian = "Tiff/flower-minisblack-32_lsb_deflate_predictor.tiff";
 
             public const string Issues1716Rgb161616BitLittleEndian = "Tiff/Issues/Issue1716.tiff";
+            public const string Issues1891 = "Tiff/Issues/Issue1891.tiff";
 
             public const string SmallRgbDeflate = "Tiff/rgb_small_deflate.tiff";
             public const string SmallRgbLzw = "Tiff/rgb_small_lzw.tiff";