mirror of
https://github.com/python-pillow/Pillow.git
synced 2025-01-27 09:44:31 +03:00
Icns DOS fix -- CVE-2014-3589
Found and reported by Andrew Drake of dropbox.com
This commit is contained in:
parent
cc6610e4f3
commit
205e056f8f
|
@ -179,6 +179,8 @@ class IcnsFile:
|
||||||
i = HEADERSIZE
|
i = HEADERSIZE
|
||||||
while i < filesize:
|
while i < filesize:
|
||||||
sig, blocksize = nextheader(fobj)
|
sig, blocksize = nextheader(fobj)
|
||||||
|
if blocksize <= 0:
|
||||||
|
raise SyntaxError('invalid block header')
|
||||||
i += HEADERSIZE
|
i += HEADERSIZE
|
||||||
blocksize -= HEADERSIZE
|
blocksize -= HEADERSIZE
|
||||||
dct[sig] = (i, blocksize)
|
dct[sig] = (i, blocksize)
|
||||||
|
|
10
Tests/check_icns_dos.py
Normal file
10
Tests/check_icns_dos.py
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
# Tests potential DOS of IcnsImagePlugin with 0 length block.
|
||||||
|
# Run from anywhere that PIL is importable.
|
||||||
|
|
||||||
|
from PIL import Image
|
||||||
|
from io import BytesIO
|
||||||
|
|
||||||
|
if bytes is str:
|
||||||
|
Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00')))
|
||||||
|
else:
|
||||||
|
Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00', 'latin-1')))
|
Loading…
Reference in New Issue
Block a user