Merge pull request #19 from ActiveState/BE-140-cve-2021-28677

BE-140-cve-2021-28677

CHANGES.rst

@@ -22,6 +22,11 @@ Changelog (Pillow)
 - Fix CVE-2020-10994: In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
   [rickprice]
 
+- Fix CVE-2021-28677: An issue was discovered in Pillow before 8.2.0. For EPS
+  data, the readline implementation used in EPSImageFile has to deal with any
+  combination of \r and \n as line endings.
+  [rickprice]
+
 6.2.2.4 (2023-03-29)
 ------------------
 

Tests/test_file_eps.py

@@ -1,6 +1,7 @@
 import io
 
 from PIL import EpsImagePlugin, Image
+import pytest
 
 from .helper import PillowTestCase, hopper, unittest
 
@@ -53,7 +54,8 @@ class TestFileEps(PillowTestCase):
     def test_invalid_file(self):
         invalid_file = "Tests/images/flower.jpg"
 
-        self.assertRaises(SyntaxError, EpsImagePlugin.EpsImageFile, invalid_file)
+        self.assertRaises(
+            SyntaxError, EpsImagePlugin.EpsImageFile, invalid_file)
 
     @unittest.skipUnless(HAS_GHOSTSCRIPT, "Ghostscript not available")
     def test_cmyk(self):
@@ -252,3 +254,17 @@ class TestFileEps(PillowTestCase):
         self.assertEqual(image.mode, "RGB")
         self.assertEqual(image.size, (460, 352))
         self.assertEqual(image.format, "EPS")
+
+
+# @pytest.mark.timeout(timeout=5)
+@pytest.mark.parametrize(
+    "test_file",
+    [
+        ("Tests/images/timeout-d675703545fee17acab56e5fec644c19979175de.eps")
+    ],
+)
+def test_timeout(test_file):
+    with open(test_file, "rb") as f:
+        with pytest.raises(Image.UnidentifiedImageError):
+            with Image.open(f):
+                pass

docs/releasenotes/6.2.2.5.rst

@@ -11,8 +11,10 @@ This release addresses several critical CVEs.
 :cve:`CVE-2021-25289`: Catch TiffDecode heap-based buffer overflow. Add test files that show the CVE was fixed
 
 :cve:`CVE-2022-22815`: Fixed ImagePath.Path array handling
+
 :cve:`CVE-2021-28675`: Fix DOS in PsdImagePlugin
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
 * :py:class:`.PsdImagePlugin.PsdImageFile` did not sanity check the number of input
   layers with regard to the size of the data block, this could lead to a
   denial-of-service on :py:meth:`~PIL.Image.open` prior to
@@ -22,3 +24,13 @@ This release addresses several critical CVEs.
 :cve:`CVE-2022-22816`: Fixed ImagePath.Path array handling
 
 :cve:`CVE-2020-10994`: In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
+
+:cve:`CVE-2021-28677`: An issue was discovered in Pillow before 8.2.0. For EPS
+                       data, the readline implementation used in EPSImageFile
+                       has to deal with any combination of \r and \n as line
+                       endings. It used an accidentally quadratic method of
+                       accumulating lines while looking for a line ending. A
+                       malicious EPS file could use this to perform a DoS of
+                       Pillow in the open phase, before an image was accepted
+                       for opening.
+

src/PIL/EpsImagePlugin.py

@@ -183,12 +183,12 @@ class PSFile(object):
         self.fp.seek(offset, whence)
 
     def readline(self):
-        s = self.char or b""
+        s = [self.char or b""]
         self.char = None
 
         c = self.fp.read(1)
-        while c not in b"\r\n":
+        while (c not in b"\r\n") and len(c):
-            s = s + c
+            s.append(c)
             c = self.fp.read(1)
 
         self.char = self.fp.read(1)
@@ -196,7 +196,7 @@ class PSFile(object):
         if self.char in b"\r\n":
             self.char = None
 
-        return s.decode("latin-1")
+        return b"".join(s).decode("latin-1")
 
 
 def _accept(prefix):