python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-14 19:36:38 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4507 from hugovk/fix_tiff

Browse Source 
Fix 2 buffer overflows in TIFF decoding
This commit is contained in:
Hugo van Kemenade 2020-04-01 12:51:04 +03:00 committed by GitHub
commit 46f4a349b8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 49 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Tests/check_tiff_crashes.py Normal file
View File

@ -0,0 +1,29 @@
#!/usr/bin/env python
# Reproductions/tests for crashes/read errors in TiffDecode.c
# When run in python, all of these images should fail for
# one reason or another, either as a buffer overrun,
# unrecognized datastream, or truncated image file.
# There shouldn't be any segfaults.
#
# if run like
# `valgrind --tool=memcheck python check_tiff_crashes.py 2>&1 | grep TiffDecode.c`
# the output should be empty. There may be python issues
# in the valgrind especially if run in a debug python
# version.
from PIL import Image
repro_read_strip = (
"images/crash_1.tif",
"images/crash_2.tif",
)
for path in repro_read_strip:
with Image.open(path) as im:
try:
im.load()
except Exception as msg:
print(msg)

BIN
Tests/images/crash_1.tif Normal file
View File

Binary file not shown.

BIN
Tests/images/crash_2.tif Normal file
View File

Binary file not shown.

21
src/libImaging/TiffDecode.c
View File

@ -171,7 +171,7 @@ int ImagingLibTiffInit(ImagingCodecState state, int fp, uint32 offset) {
int ReadTile(TIFF* tiff, UINT32 col, UINT32 row, UINT32* buffer) { int ReadTile(TIFF* tiff, UINT32 col, UINT32 row, UINT32* buffer) {
uint16 photometric; uint16 photometric = 0;
TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric); TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric);
@ -228,7 +228,7 @@ int ReadTile(TIFF* tiff, UINT32 col, UINT32 row, UINT32* buffer) {
} }
int ReadStrip(TIFF* tiff, UINT32 row, UINT32* buffer) { int ReadStrip(TIFF* tiff, UINT32 row, UINT32* buffer) {
uint16 photometric; uint16 photometric = 0; // init to not PHOTOMETRIC_YCBCR
TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric); TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric);
// To avoid dealing with YCbCr subsampling, let libtiff handle it // To avoid dealing with YCbCr subsampling, let libtiff handle it
@ -363,6 +363,13 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
state->bytes = row_byte_size * tile_length; state->bytes = row_byte_size * tile_length;
if (TIFFTileSize(tiff) > state->bytes) {
// If the strip size as expected by LibTiff isn't what we're expecting, abort.
state->errcode = IMAGING_CODEC_MEMORY;
TIFFClose(tiff);
return -1;
}
/* realloc to fit whole tile */ /* realloc to fit whole tile */
/* malloc check above */ /* malloc check above */
new_data = realloc (state->buffer, state->bytes); new_data = realloc (state->buffer, state->bytes);
@ -429,6 +436,16 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
TRACE(("StripSize: %d \n", state->bytes)); TRACE(("StripSize: %d \n", state->bytes));
if (TIFFStripSize(tiff) > state->bytes) {
// If the strip size as expected by LibTiff isn't what we're expecting, abort.
// man: TIFFStripSize returns the equivalent size for a strip of data as it would be returned in a
// call to TIFFReadEncodedStrip ...
state->errcode = IMAGING_CODEC_MEMORY;
TIFFClose(tiff);
return -1;
}
/* realloc to fit whole strip */ /* realloc to fit whole strip */
/* malloc check above */ /* malloc check above */
new_data = realloc (state->buffer, state->bytes); new_data = realloc (state->buffer, state->bytes);