python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-02-03 21:24:31 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5174 from radarhere/pcx

Browse Source 
Fix for Read Overflow in PCX Decoding
This commit is contained in:
Andrew Murray 2021-01-02 21:00:25 +11:00 committed by GitHub
commit 0117694533
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 27 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Tests/images/ossfuzz-4836216264589312.pcx Normal file
View File

Binary file not shown.

24
Tests/test_image.py
View File

@ -775,26 +775,34 @@ class TestImage:
with pytest.warns(DeprecationWarning): with pytest.warns(DeprecationWarning):
assert test_module.PILLOW_VERSION > "7.0.0" assert test_module.PILLOW_VERSION > "7.0.0"
def test_overrun(self): @pytest.mark.parametrize(
"""For overrun completeness, test as: "path",
valgrind pytest -qq Tests/test_image.py::TestImage::test_overrun | grep decode.c [
"""
for file in [
"fli_overrun.bin", "fli_overrun.bin",
"sgi_overrun.bin", "sgi_overrun.bin",
"sgi_overrun_expandrow.bin", "sgi_overrun_expandrow.bin",
"sgi_overrun_expandrow2.bin", "sgi_overrun_expandrow2.bin",
"pcx_overrun.bin", "pcx_overrun.bin",
"pcx_overrun2.bin", "pcx_overrun2.bin",
"ossfuzz-4836216264589312.pcx",
"01r_00.pcx", "01r_00.pcx",
]: ],
with Image.open(os.path.join("Tests/images", file)) as im: )
def test_overrun(self, path):
"""For overrun completeness, test as:
valgrind pytest -qq Tests/test_image.py::TestImage::test_overrun | grep decode.c
"""
with Image.open(os.path.join("Tests/images", path)) as im:
try: try:
im.load() im.load()
assert False assert False
except OSError as e: except OSError as e:
assert str(e) == "buffer overrun when reading image file" buffer_overrun = str(e) == "buffer overrun when reading image file"
truncated = "image file is truncated" in str(e)
assert buffer_overrun or truncated
def test_fli_overrun2(self):
with Image.open("Tests/images/fli_overrun2.bin") as im: with Image.open("Tests/images/fli_overrun2.bin") as im:
try: try:
im.seek(1) im.seek(1)

9
src/PIL/PcxImagePlugin.py
View File

@ -66,13 +66,13 @@ class PcxImageFile(ImageFile.ImageFile):
version = s[1] version = s[1]
bits = s[3] bits = s[3]
planes = s[65] planes = s[65]
stride = i16(s, 66) ignored_stride = i16(s, 66)
logger.debug( logger.debug(
"PCX version %s, bits %s, planes %s, stride %s", "PCX version %s, bits %s, planes %s, stride %s",
version, version,
bits, bits,
planes, planes,
stride, ignored_stride,
) )
self.info["dpi"] = i16(s, 12), i16(s, 14) self.info["dpi"] = i16(s, 12), i16(s, 14)
@ -110,6 +110,11 @@ class PcxImageFile(ImageFile.ImageFile):
self.mode = mode self.mode = mode
self._size = bbox[2] - bbox[0], bbox[3] - bbox[1] self._size = bbox[2] - bbox[0], bbox[3] - bbox[1]
# don't trust the passed in stride. Calculate for ourselves.
# CVE-2020-35655
stride = (self._size[0] * bits + 7) // 8
stride += stride % 2
bbox = (0, 0) + self.size bbox = (0, 0) + self.size
logger.debug("size: %sx%s", *self.size) logger.debug("size: %sx%s", *self.size)