Fix Memory DOS in Icns, Ico and Blp Image Plugins

Some container plugins that could contain images of other formats, such as the ICNS format, did not properly check the reported size of the contained image. These images could cause arbitrariliy large memory allocations. This is fixed for all locations where individual *ImageFile classes are created without going through the usual Image.open method.
2024-09-20 19:08:58 +03:00 · 2021-02-24 23:27:07 +01:00 · 2021-02-24 23:27:07 +01:00 · 480f6819b5
commit 480f6819b5
parent b511d704ae
5 changed files with 10 additions and 0 deletions
--- a/Tests/images/oom-8ed3316a4109213ca96fb8a256a0bfefdece1461.icns
+++ b/Tests/images/oom-8ed3316a4109213ca96fb8a256a0bfefdece1461.icns
--- a/Tests/test_file_icns.py
+++ b/Tests/test_file_icns.py
@ -140,3 +140,9 @@ def test_not_an_icns_file():
    with io.BytesIO(b"invalid\n") as fp:
        with pytest.raises(SyntaxError):
            IcnsImagePlugin.IcnsFile(fp)
+
+
+def test_icns_decompression_bomb():
+    with pytest.raises(Image.DecompressionBombError):
+        im = Image.open('Tests/images/oom-8ed3316a4109213ca96fb8a256a0bfefdece1461.icns')
+        im.load()
--- a/src/PIL/BlpImagePlugin.py
+++ b/src/PIL/BlpImagePlugin.py
@ -353,6 +353,7 @@ class BLP1Decoder(_BLPBaseDecoder):
        data = jpeg_header + data
        data = BytesIO(data)
        image = JpegImageFile(data)
+        Image._decompression_bomb_check(image.size)
        self.tile = image.tile  # :/
        self.fd = image.fp
        self.mode = image.mode
--- a/src/PIL/IcnsImagePlugin.py
+++ b/src/PIL/IcnsImagePlugin.py
@ -105,6 +105,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
    if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a":
        fobj.seek(start)
        im = PngImagePlugin.PngImageFile(fobj)
+        Image._decompression_bomb_check(im.size)
        return {"RGBA": im}
    elif (
        sig[:4] == b"\xff\x4f\xff\x51"
@ -121,6 +122,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
        jp2kstream = fobj.read(length)
        f = io.BytesIO(jp2kstream)
        im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
+        Image._decompression_bomb_check(im.size)
        if im.mode != "RGBA":
            im = im.convert("RGBA")
        return {"RGBA": im}
--- a/src/PIL/IcoImagePlugin.py
+++ b/src/PIL/IcoImagePlugin.py
@ -178,6 +178,7 @@ class IcoFile:
        if data[:8] == PngImagePlugin._MAGIC:
            # png frame
            im = PngImagePlugin.PngImageFile(self.buf)
+            Image._decompression_bomb_check(im.size)
        else:
            # XOR + AND mask bmp frame
            im = BmpImagePlugin.DibImageFile(self.buf)