python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-12 02:06:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix for zlib.decompression bomb in iTXt,zTXt, and iCCP chunks

Browse Source
This commit is contained in:
wiredfool 2014-11-30 23:31:29 -08:00
parent 967247d45c
commit 44286ba3c9
3 changed files with 34 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
PIL/PngImagePlugin.py
View File

@ -72,6 +72,13 @@ _MODES = {
_simple_palette = re.compile(b'^\xff+\x00\xff*$') _simple_palette = re.compile(b'^\xff+\x00\xff*$')
def _safe_zlib_decompress(s):
dobj = zlib.decompressobj()
plaintext = dobj.decompress(s, ImageFile.SAFEBLOCK)
if dobj.unconsumed_tail:
raise ValueError("Decompressed Data Too Large")
return plaintext
# -------------------------------------------------------------------- # --------------------------------------------------------------------
# Support classes. Suitable for PNG and related formats like MNG etc. # Support classes. Suitable for PNG and related formats like MNG etc.
@ -278,7 +285,7 @@ class PngStream(ChunkStream):
raise SyntaxError("Unknown compression method %s in iCCP chunk" % raise SyntaxError("Unknown compression method %s in iCCP chunk" %
comp_method) comp_method)
try: try:
icc_profile = zlib.decompress(s[i+2:]) icc_profile = _safe_zlib_decompress(s[i+2:])
except zlib.error: except zlib.error:
icc_profile = None # FIXME icc_profile = None # FIXME
self.im_info["icc_profile"] = icc_profile self.im_info["icc_profile"] = icc_profile
@ -391,7 +398,7 @@ class PngStream(ChunkStream):
raise SyntaxError("Unknown compression method %s in zTXt chunk" % raise SyntaxError("Unknown compression method %s in zTXt chunk" %
comp_method) comp_method)
try: try:
v = zlib.decompress(v[1:]) v = _safe_zlib_decompress(v[1:])
except zlib.error: except zlib.error:
v = b"" v = b""
@ -421,7 +428,7 @@ class PngStream(ChunkStream):
if cf != 0: if cf != 0:
if cm == 0: if cm == 0:
try: try:
v = zlib.decompress(v) v = _safe_zlib_decompress(v)
except zlib.error: except zlib.error:
return s return s
else: else:

24
Tests/check_png_dos.py Normal file
View File

@ -0,0 +1,24 @@
from helper import unittest, PillowTestCase
import sys
from PIL import Image
from io import BytesIO
test_file = "Tests/images/png_decompression_dos.png"
@unittest.skipIf(sys.platform.startswith('win32'), "requires Unix or MacOS")
class TestPngDos(PillowTestCase):
def test_dos_text(self):
try:
im = Image.open(test_file)
im.load()
except ValueError as msg:
self.assert_(msg, "Decompressed Data Too Large")
return
for s in im.text.values():
self.assert_(len(s) < 1024*1024, "Text chunk larger than 1M")
if __name__ == '__main__':
unittest.main()

BIN
Tests/images/png_decompression_dos.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.1 KiB