mirror of
https://github.com/python-pillow/Pillow.git
synced 2025-01-26 09:14:27 +03:00
Fix for CVE CVE-2020-35655 - Read Overflow in PCX Decoding.
* Don't trust the image to specify a buffer size
This commit is contained in:
parent
0c39689690
commit
2f409261eb
BIN
Tests/images/ossfuzz-4836216264589312.pcx
Normal file
BIN
Tests/images/ossfuzz-4836216264589312.pcx
Normal file
Binary file not shown.
|
@ -775,26 +775,29 @@ class TestImage:
|
|||
with pytest.warns(DeprecationWarning):
|
||||
assert test_module.PILLOW_VERSION > "7.0.0"
|
||||
|
||||
def test_overrun(self):
|
||||
"""For overrun completeness, test as:
|
||||
valgrind pytest -qq Tests/test_image.py::TestImage::test_overrun | grep decode.c
|
||||
"""
|
||||
for file in [
|
||||
@pytest.mark.parametrize("path", [
|
||||
"fli_overrun.bin",
|
||||
"sgi_overrun.bin",
|
||||
"sgi_overrun_expandrow.bin",
|
||||
"sgi_overrun_expandrow2.bin",
|
||||
"pcx_overrun.bin",
|
||||
"pcx_overrun2.bin",
|
||||
"ossfuzz-4836216264589312.pcx",
|
||||
"01r_00.pcx",
|
||||
]:
|
||||
with Image.open(os.path.join("Tests/images", file)) as im:
|
||||
try:
|
||||
im.load()
|
||||
assert False
|
||||
except OSError as e:
|
||||
assert str(e) == "buffer overrun when reading image file"
|
||||
])
|
||||
def test_overrun(self, path):
|
||||
"""For overrun completeness, test as:
|
||||
valgrind pytest -qq Tests/test_image.py::TestImage::test_overrun | grep decode.c
|
||||
"""
|
||||
with Image.open(os.path.join("Tests/images", path)) as im:
|
||||
try:
|
||||
im.load()
|
||||
assert False
|
||||
except OSError as e:
|
||||
assert (str(e) == "buffer overrun when reading image file" or
|
||||
"image file is truncated" in str(e))
|
||||
|
||||
def test_fli_overrun2(self):
|
||||
with Image.open("Tests/images/fli_overrun2.bin") as im:
|
||||
try:
|
||||
im.seek(1)
|
||||
|
|
|
@ -66,13 +66,13 @@ class PcxImageFile(ImageFile.ImageFile):
|
|||
version = s[1]
|
||||
bits = s[3]
|
||||
planes = s[65]
|
||||
stride = i16(s, 66)
|
||||
ignored_stride = i16(s, 66)
|
||||
logger.debug(
|
||||
"PCX version %s, bits %s, planes %s, stride %s",
|
||||
version,
|
||||
bits,
|
||||
planes,
|
||||
stride,
|
||||
ignored_stride,
|
||||
)
|
||||
|
||||
self.info["dpi"] = i16(s, 12), i16(s, 14)
|
||||
|
@ -110,6 +110,11 @@ class PcxImageFile(ImageFile.ImageFile):
|
|||
self.mode = mode
|
||||
self._size = bbox[2] - bbox[0], bbox[3] - bbox[1]
|
||||
|
||||
# don't trust the passed in stride. Calculate for ourselves.
|
||||
# CVE-2020-35655
|
||||
stride = (self._size[0] * bits + 7) // 8
|
||||
stride += stride % 2
|
||||
|
||||
bbox = (0, 0) + self.size
|
||||
logger.debug("size: %sx%s", *self.size)
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user