From 4e0d9b0b9740d258ade40cce248c93777362ac1e Mon Sep 17 00:00:00 2001 From: Ned Williamson Date: Thu, 4 Feb 2016 01:54:12 -0500 Subject: [PATCH 1/3] fix integer overflow in Resample.c --- libImaging/Resample.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libImaging/Resample.c b/libImaging/Resample.c index 103e07e4b..0d401c1df 100644 --- a/libImaging/Resample.c +++ b/libImaging/Resample.c @@ -138,11 +138,23 @@ ImagingResampleHorizontal(Imaging imIn, int xsize, int filter) /* maximum number of coofs */ kmax = (int) ceil(support) * 2 + 1; + // check for overflow + if (kmax > 0 && xsize > SIZE_MAX / kmax) + return (Imaging) ImagingError_MemoryError(); + + // sizeof(float) should be greater than 0 + if (xsize * kmax > SIZE_MAX / sizeof(float)) + return (Imaging) ImagingError_MemoryError(); + /* coefficient buffer */ kk = malloc(xsize * kmax * sizeof(float)); if ( ! kk) return (Imaging) ImagingError_MemoryError(); + // sizeof(int) should be greater than 0 as well + if (xsize > SIZE_MAX / (2 * sizeof(int))) + return (Imaging) ImagingError_MemoryError(); + xbounds = malloc(xsize * 2 * sizeof(int)); if ( ! xbounds) { free(kk); From ff7962c3be5eac5103978fde8f8e14dc6542b8dc Mon Sep 17 00:00:00 2001 From: wiredfool Date: Thu, 4 Feb 2016 04:17:00 -0800 Subject: [PATCH 2/3] test for #1711 --- Tests/test_image_resample.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 Tests/test_image_resample.py diff --git a/Tests/test_image_resample.py b/Tests/test_image_resample.py new file mode 100644 index 000000000..f274322e5 --- /dev/null +++ b/Tests/test_image_resample.py @@ -0,0 +1,18 @@ +from helper import unittest, PillowTestCase, hopper +from PIL import Image + +class TestImagingCoreResize(PillowTestCase): + #see https://github.com/python-pillow/Pillow/issues/1710 + def test_overflow(self): + im = hopper('L') + xsize = 0x100000008 // 4 + ysize = 1000 # unimportant + try: + im.im.resize((xsize, ysize), Image.LINEAR) # any resampling filter will do here + self.fail("Resize should raise MemoryError on invalid xsize") + except MemoryError: + self.assertTrue(True, "Should raise MemoryError") + + +if __name__ == '__main__': + unittest.main() From 95a25a0d82f414a52e174eb5389d485d4b3ddf34 Mon Sep 17 00:00:00 2001 From: wiredfool Date: Thu, 4 Feb 2016 06:57:57 -0800 Subject: [PATCH 3/3] input parameter filtering --- Tests/test_image_resample.py | 20 +++++++++++++++++++- _imaging.c | 4 ++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/Tests/test_image_resample.py b/Tests/test_image_resample.py index f274322e5..9e8f735f6 100644 --- a/Tests/test_image_resample.py +++ b/Tests/test_image_resample.py @@ -8,11 +8,29 @@ class TestImagingCoreResize(PillowTestCase): xsize = 0x100000008 // 4 ysize = 1000 # unimportant try: - im.im.resize((xsize, ysize), Image.LINEAR) # any resampling filter will do here + # any resampling filter will do here + im.im.resize((xsize, ysize), Image.LINEAR) self.fail("Resize should raise MemoryError on invalid xsize") except MemoryError: self.assertTrue(True, "Should raise MemoryError") + def test_invalid_size(self): + im = hopper() + + im.resize((100,100)) + self.assertTrue(True, "Should not Crash") + + try: + im.resize((-100,100)) + self.fail("Resize should raise a value error on x negative size") + except ValueError: + self.assertTrue(True, "Should raise ValueError") + + try: + im.resize((100,-100)) + self.fail("Resize should raise a value error on y negative size") + except ValueError: + self.assertTrue(True, "Should raise ValueError") if __name__ == '__main__': unittest.main() diff --git a/_imaging.c b/_imaging.c index de1fa5be5..314631996 100644 --- a/_imaging.c +++ b/_imaging.c @@ -1532,6 +1532,10 @@ _resize(ImagingObject* self, PyObject* args) imIn = self->image; + if (xsize < 1 || ysize < 1) { + return ImagingError_ValueError("height and width must be > 0"); + } + if (imIn->xsize == xsize && imIn->ysize == ysize) { imOut = ImagingCopy(imIn); }