python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-15 20:06:28 +03:00
Code Issues Packages Projects Releases Wiki Activity

comments

Browse Source
This commit is contained in:
Eric Soroos 2020-03-05 10:46:27 +00:00 committed by Hugo
parent 19ff42bd68
commit 088ce4df98
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/libImaging/FliDecode.c
View File

@ -140,7 +140,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
break; break;
case 12: case 12:
/* FLI LC chunk (byte delta) */ /* FLI LC chunk (byte delta) */
/* OOB Check ok, we have 10 bytes here */ /* OOB Check ok, we have 4 bytes min here */
y = I16(data); ymax = y + I16(data+2); data += 4; y = I16(data); ymax = y + I16(data+2); data += 4;
for (; y < ymax && y < state->ysize; y++) { for (; y < ymax && y < state->ysize; y++) {
UINT8* out = (UINT8*) im->image[y]; UINT8* out = (UINT8*) im->image[y];
@ -180,19 +180,17 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
break; break;
case 15: case 15:
/* FLI BRUN chunk */ /* FLI BRUN chunk */
/* data = ptr + 6 */ /* OOB, ok, we've got 4 bytes min on entry */
for (y = 0; y < state->ysize; y++) { for (y = 0; y < state->ysize; y++) {
UINT8* out = (UINT8*) im->image[y]; UINT8* out = (UINT8*) im->image[y];
data += 1; /* ignore packetcount byte */ data += 1; /* ignore packetcount byte */
for (x = 0; x < state->xsize; x += i) { for (x = 0; x < state->xsize; x += i) {
/* Out of Bounds Read issue, guaranteed to try to read 2 from data */
ERR_IF_DATA_OOB(2) ERR_IF_DATA_OOB(2)
if (data[0] & 0x80) { if (data[0] & 0x80) {
i = 256 - data[0]; i = 256 - data[0];
if (x + i > state->xsize) { if (x + i > state->xsize) {
break; /* safety first */ break; /* safety first */
} }
/* Out of Bounds read issue */
ERR_IF_DATA_OOB(i+1) ERR_IF_DATA_OOB(i+1)
memcpy(out + x, data + 1, i); memcpy(out + x, data + 1, i);
data += i + 1; data += i + 1;