Add bounds checks and extend XMP namespace handling

Add numerous safety checks, new XMP namespace constants, and extended XMP->portable mapping/parsing.

Key changes:
- Introduce JPEG/TIFF size limits and helper functions (kMaxJpegSegmentPayload, jpeg_segment_length_u16, set_jpeg_segment_limit_error, append_jpeg_segment) and enforce payload limits when emitting/compiling JPEG segments and building C2PA sign requests.
- Replace unchecked arithmetic with checked helpers (ifd_directory_size_bytes_checked, checked_u32_add, checked_u32_add_size, checked_align_to_2) to avoid integer overflow when computing IFD and data cursor sizes; enforce max TIFF/EXIF bytes.
- Add many new XMP namespace constants and prefix mappings in xmp_decode/xmp_dump (stDim, stEvt, stFnt, stJob, stMfs, stRef, stVer, xmpBJ, xmpDM, xmpTPg, xmpG, etc.) and update portable property/shape logic accordingly.
- Add new parsing/resolution helpers for qualified and indexed structured XMP property names (resolve_qualified_xmp_property_name, resolve_existing_xmp_component_to_portable, parse_indexed_structured_indexed_nested_xmp_property_name) and new PortableIndexedStructuredIndexedNestedProperty struct plus related promotions and shape rules.
- Improve bounds checks in maker-note decoders and container scanner (Nikon, Olympus, Sony, container_scan) to guard against small/invalid inputs and large entry counts/offsets.
- Tighten checks when copying/patching TIFF data and when validating value offsets to prevent out-of-range accesses.

These changes harden parsing/emission code against malformed or malicious inputs and expand XMP handling for additional structured/qualified fields.

Author: ssh4net

src/include/openmeta/xmp_dump.h

@@ -87,8 +87,30 @@ struct XmpPortableOptions final {
     /// bounded lang-alt paths like `title[@xml:lang=x-default]`, bounded
     /// one-level structured paths like `CreatorContactInfo/CiEmailWork`,
     /// bounded qualified one-level structured child paths like
-    /// `LocationShown[1]/xmp:Identifier[1]` and
+    /// `LocationShown[1]/xmp:Identifier[1]`,
     /// `LocationShown[1]/exif:GPSLatitude`,
+    /// `DerivedFrom/stRef:documentID`,
+    /// `JobRef[1]/stJob:id`,
+    /// `RenditionOf/stRef:filePath`,
+    /// `Ingredients[1]/stRef:documentID`,
+    /// `MaxPageSize/stDim:w`,
+    /// `Fonts[1]/stFnt:fontName`,
+    /// `Fonts[1]/stFnt:childFontFiles[1]`,
+    /// `Colorants[1]/xmpG:swatchName`,
+    /// `SwatchGroups[1]/xmpG:groupName`,
+    /// `ProjectRef/path`,
+    /// `beatSpliceParams/riseInTimeDuration/scale`,
+    /// `markers/cuePointParams/key`,
+    /// `contributedMedia[1]/duration/scale`,
+    /// `resampleParams/quality`,
+    /// `startTimecode/timeValue`,
+    /// `timeScaleParams/quality`,
+    /// `Pantry[1]/InstanceID`,
+    /// `Pantry[1]/dc:format`,
+    /// `videoFrameSize/stDim:w`,
+    /// `videoAlphaPremultipleColor/xmpG:mode`,
+    /// `Manifest[1]/stMfs:reference/stRef:filePath`, and
+    /// `Versions[1]/stVer:event/stEvt:action`,
     /// bounded indexed-structured paths like `Licensee[1]/LicenseeName`,
     /// bounded second-level structured scalar paths like
     /// `CreatorContactInfo/CiAdrRegion/ProvinceName`, bounded structured

src/openmeta/container_scan.cc

@@ -4323,6 +4323,9 @@ scan_tiff(std::span<const std::byte> bytes,
                 continue;
             }
             entry_count      = n64;
+            if (entry_count > 0x10000ULL) {
+                continue;
+            }
             entries_off      = ifd_off + 8;
             entry_size       = 20;
             next_ifd_off_pos = entries_off + entry_count * entry_size;

src/openmeta/exif_makernote_nikon.cc

@@ -2833,6 +2833,9 @@ decode_nikon_binary_subdirs(std::string_view mk_ifd0, MetaStore& store, bool le,
                     0x06ec, 0x06ee, 0x06f0, 0x06f2, 0x06f4, 0x06f6, 0x06f8,
                     0x06fa, 0x06fc, 0x06fe, 0x0700, 0x0702,
                 };
+                if (raw_src.size() < 4U) {
+                    continue;
+                }
 
                 std::vector<std::byte> dec;
                 dec.resize(raw_src.size());
@@ -3107,6 +3110,9 @@ decode_nikon_binary_subdirs(std::string_view mk_ifd0, MetaStore& store, bool le,
                     0x0204, 0x0238, 0x023c, 0x023e, 0x0240, 0x0241, 0x0242,
                     0x0248, 0x024e, 0x024f, 0x035a,
                 };
+                if (raw_src.size() < 4U) {
+                    continue;
+                }
 
                 std::vector<std::byte> dec;
                 dec.resize(raw_src.size());

src/openmeta/exif_makernote_olympus.cc

@@ -95,7 +95,8 @@ namespace {
                 continue;
             }
             const uint64_t sub_ifd_off = sub_ifd_off32;
-            if (sub_ifd_off >= mn.size()) {
+            if (sub_ifd_off >= mn.size()
+                || mn.size() - static_cast<size_t>(sub_ifd_off) < 2U) {
                 continue;
             }
 

src/openmeta/exif_makernote_sony.cc

@@ -1563,10 +1563,12 @@ decode_sony_meterinfo_from_tag2010(std::span<const std::byte> bytes,
         if (uint32_t(r.len) > options.limits.max_value_bytes) {
             continue;
         }
-        const uint16_t abs_off = uint16_t(meter_off + r.off);
-        if (uint64_t(abs_off) + uint64_t(r.len) > bytes.size()) {
+        const uint64_t abs_off64 = uint64_t(meter_off) + uint64_t(r.off);
+        if (abs_off64 > static_cast<uint64_t>(UINT16_MAX)
+            || abs_off64 + uint64_t(r.len) > bytes.size()) {
             continue;
         }
+        const uint16_t abs_off = static_cast<uint16_t>(abs_off64);
         const MetaValue v = make_sony_deciphered_bytes(store.arena(), bytes,
                                                        abs_off, r.len, rounds);
         if (v.kind != MetaValueKind::Bytes) {
@@ -2036,7 +2038,12 @@ decode_sony_faceinfo_from_shotinfo(bool le, std::span<const std::byte> bytes,
     uint32_t out_count = 0;
 
     for (uint16_t i = 0; i < face_count; ++i) {
-        const uint16_t tag = uint16_t(face_len * i);
+        const uint32_t tag32
+            = static_cast<uint32_t>(face_len) * static_cast<uint32_t>(i);
+        if (tag32 > static_cast<uint32_t>(UINT16_MAX)) {
+            continue;
+        }
+        const uint16_t tag = static_cast<uint16_t>(tag32);
         const uint64_t off = uint64_t(face_off) + uint64_t(face_len) * i;
         uint16_t rect[4];
         bool ok = true;