Fix for zlib.decompression bomb in iTXt,zTXt, and iCCP chunks

2025-01-12 02:06:18 +03:00 · 2014-11-30 23:31:29 -08:00 · 2014-11-30 23:31:29 -08:00 · 44286ba3c9
commit 44286ba3c9
parent 967247d45c
3 changed files with 34 additions and 3 deletions
--- a/PIL/PngImagePlugin.py
+++ b/PIL/PngImagePlugin.py
@ -72,6 +72,13 @@ _MODES = {

 _simple_palette = re.compile(b'^\xff+\x00\xff*$')

+def _safe_zlib_decompress(s):
+    dobj = zlib.decompressobj()
+    plaintext = dobj.decompress(s, ImageFile.SAFEBLOCK)
+    if dobj.unconsumed_tail:
+        raise ValueError("Decompressed Data Too Large")
+    return plaintext
+

 # --------------------------------------------------------------------
 # Support classes.  Suitable for PNG and related formats like MNG etc.
@ -278,7 +285,7 @@ class PngStream(ChunkStream):
            raise SyntaxError("Unknown compression method %s in iCCP chunk" %
                              comp_method)
        try:
-            icc_profile = zlib.decompress(s[i+2:])
+            icc_profile = _safe_zlib_decompress(s[i+2:])
        except zlib.error:
            icc_profile = None  # FIXME
        self.im_info["icc_profile"] = icc_profile
@ -391,7 +398,7 @@ class PngStream(ChunkStream):
            raise SyntaxError("Unknown compression method %s in zTXt chunk" %
                              comp_method)
        try:
-            v = zlib.decompress(v[1:])
+            v = _safe_zlib_decompress(v[1:])
        except zlib.error:
            v = b""

@ -421,7 +428,7 @@ class PngStream(ChunkStream):
        if cf != 0:
            if cm == 0:
                try:
-                    v = zlib.decompress(v)
+                    v = _safe_zlib_decompress(v)
                except zlib.error:
                    return s
            else:
--- a/Tests/check_png_dos.py
+++ b/Tests/check_png_dos.py
@ -0,0 +1,24 @@
+from helper import unittest, PillowTestCase
+import sys
+from PIL import Image
+from io import BytesIO
+
+test_file = "Tests/images/png_decompression_dos.png"
+
+@unittest.skipIf(sys.platform.startswith('win32'), "requires Unix or MacOS")
+class TestPngDos(PillowTestCase):
+
+    def test_dos_text(self):
+
+        try:
+            im = Image.open(test_file)
+            im.load()
+        except ValueError as msg:
+            self.assert_(msg, "Decompressed Data Too Large")
+            return
+
+        for s in im.text.values():
+            self.assert_(len(s) < 1024*1024, "Text chunk larger than 1M")
+
+if __name__ == '__main__':
+    unittest.main()
--- a/Tests/images/png_decompression_dos.png
+++ b/Tests/images/png_decompression_dos.png