mirror of
				https://github.com/python-pillow/Pillow.git
				synced 2025-10-20 18:54:31 +03:00 
			
		
		
		
	Fix for zlib.decompression bomb in iTXt,zTXt, and iCCP chunks
This commit is contained in:
		
							parent
							
								
									4a8471dea1
								
							
						
					
					
						commit
						4a6aac605a
					
				|  | @ -72,6 +72,13 @@ _MODES = { | |||
| 
 | ||||
| _simple_palette = re.compile(b'^\xff+\x00\xff*$') | ||||
| 
 | ||||
| def _safe_zlib_decompress(s): | ||||
|     dobj = zlib.decompressobj() | ||||
|     plaintext = dobj.decompress(s, ImageFile.SAFEBLOCK) | ||||
|     if dobj.unconsumed_tail: | ||||
|         raise ValueError("Decompressed Data Too Large") | ||||
|     return plaintext | ||||
| 
 | ||||
| 
 | ||||
| # -------------------------------------------------------------------- | ||||
| # Support classes.  Suitable for PNG and related formats like MNG etc. | ||||
|  | @ -184,7 +191,6 @@ class PngInfo: | |||
|             tkey = tkey.encode("utf-8", "strict") | ||||
| 
 | ||||
|         if zip: | ||||
|             import zlib | ||||
|             self.add(b"iTXt", key + b"\0\x01\0" + lang + b"\0" + tkey + b"\0" + | ||||
|                      zlib.compress(value)) | ||||
|         else: | ||||
|  | @ -206,7 +212,6 @@ class PngInfo: | |||
|             key = key.encode('latin-1', 'strict') | ||||
| 
 | ||||
|         if zip: | ||||
|             import zlib | ||||
|             self.add(b"zTXt", key + b"\0\0" + zlib.compress(value)) | ||||
|         else: | ||||
|             self.add(b"tEXt", key + b"\0" + value) | ||||
|  | @ -247,7 +252,7 @@ class PngStream(ChunkStream): | |||
|             raise SyntaxError("Unknown compression method %s in iCCP chunk" % | ||||
|                               comp_method) | ||||
|         try: | ||||
|             icc_profile = zlib.decompress(s[i+2:]) | ||||
|             icc_profile = _safe_zlib_decompress(s[i+2:]) | ||||
|         except zlib.error: | ||||
|             icc_profile = None  # FIXME | ||||
|         self.im_info["icc_profile"] = icc_profile | ||||
|  | @ -359,9 +364,8 @@ class PngStream(ChunkStream): | |||
|         if comp_method != 0: | ||||
|             raise SyntaxError("Unknown compression method %s in zTXt chunk" % | ||||
|                               comp_method) | ||||
|         import zlib | ||||
|         try: | ||||
|             v = zlib.decompress(v[1:]) | ||||
|             v = _safe_zlib_decompress(v[1:]) | ||||
|         except zlib.error: | ||||
|             v = b"" | ||||
| 
 | ||||
|  | @ -390,9 +394,8 @@ class PngStream(ChunkStream): | |||
|             return s | ||||
|         if cf != 0: | ||||
|             if cm == 0: | ||||
|                 import zlib | ||||
|                 try: | ||||
|                     v = zlib.decompress(v) | ||||
|                     v = _safe_zlib_decompress(v) | ||||
|                 except zlib.error: | ||||
|                     return s | ||||
|             else: | ||||
|  |  | |||
							
								
								
									
										24
									
								
								Tests/check_png_dos.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								Tests/check_png_dos.py
									
									
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,24 @@ | |||
| from helper import unittest, PillowTestCase | ||||
| import sys | ||||
| from PIL import Image | ||||
| from io import BytesIO | ||||
| 
 | ||||
| test_file = "Tests/images/png_decompression_dos.png" | ||||
| 
 | ||||
| @unittest.skipIf(sys.platform.startswith('win32'), "requires Unix or MacOS") | ||||
| class TestPngDos(PillowTestCase): | ||||
| 
 | ||||
|     def test_dos_text(self): | ||||
| 
 | ||||
|         try: | ||||
|             im = Image.open(test_file) | ||||
|             im.load() | ||||
|         except ValueError as msg: | ||||
|             self.assert_(msg, "Decompressed Data Too Large") | ||||
|             return | ||||
| 
 | ||||
|         for s in im.text.values(): | ||||
|             self.assert_(len(s) < 1024*1024, "Text chunk larger than 1M") | ||||
| 
 | ||||
| if __name__ == '__main__': | ||||
|     unittest.main() | ||||
							
								
								
									
										
											BIN
										
									
								
								Tests/images/png_decompression_dos.png
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								Tests/images/png_decompression_dos.png
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 6.1 KiB | 
		Loading…
	
		Reference in New Issue
	
	Block a user