Fix for CVE CVE-2020-35655 - Read Overflow in PCX Decoding.

* Don't trust the image to specify a buffer size
This commit is contained in:
Eric Soroos 2020-12-17 00:17:53 +01:00 committed by Andrew Murray
parent 0c39689690
commit 2f409261eb
3 changed files with 22 additions and 14 deletions

Binary file not shown.

View File

@ -775,26 +775,29 @@ class TestImage:
with pytest.warns(DeprecationWarning):
assert test_module.PILLOW_VERSION > "7.0.0"
def test_overrun(self):
"""For overrun completeness, test as:
valgrind pytest -qq Tests/test_image.py::TestImage::test_overrun | grep decode.c
"""
for file in [
@pytest.mark.parametrize("path", [
"fli_overrun.bin",
"sgi_overrun.bin",
"sgi_overrun_expandrow.bin",
"sgi_overrun_expandrow2.bin",
"pcx_overrun.bin",
"pcx_overrun2.bin",
"ossfuzz-4836216264589312.pcx",
"01r_00.pcx",
]:
with Image.open(os.path.join("Tests/images", file)) as im:
try:
im.load()
assert False
except OSError as e:
assert str(e) == "buffer overrun when reading image file"
])
def test_overrun(self, path):
"""For overrun completeness, test as:
valgrind pytest -qq Tests/test_image.py::TestImage::test_overrun | grep decode.c
"""
with Image.open(os.path.join("Tests/images", path)) as im:
try:
im.load()
assert False
except OSError as e:
assert (str(e) == "buffer overrun when reading image file" or
"image file is truncated" in str(e))
def test_fli_overrun2(self):
with Image.open("Tests/images/fli_overrun2.bin") as im:
try:
im.seek(1)

View File

@ -66,13 +66,13 @@ class PcxImageFile(ImageFile.ImageFile):
version = s[1]
bits = s[3]
planes = s[65]
stride = i16(s, 66)
ignored_stride = i16(s, 66)
logger.debug(
"PCX version %s, bits %s, planes %s, stride %s",
version,
bits,
planes,
stride,
ignored_stride,
)
self.info["dpi"] = i16(s, 12), i16(s, 14)
@ -110,6 +110,11 @@ class PcxImageFile(ImageFile.ImageFile):
self.mode = mode
self._size = bbox[2] - bbox[0], bbox[3] - bbox[1]
# don't trust the passed in stride. Calculate for ourselves.
# CVE-2020-35655
stride = (self._size[0] * bits + 7) // 8
stride += stride % 2
bbox = (0, 0) + self.size
logger.debug("size: %sx%s", *self.size)