Overflow checks for realloc for tiff decoding

This commit is contained in:
Andrew Murray 2020-01-01 16:38:37 +11:00
parent a79b65c47c
commit 4e2def2539
3 changed files with 24 additions and 3 deletions

Binary file not shown.

View File

@ -870,3 +870,13 @@ class TestFileLibTiff(LibTiffTestCase):
out.seek(0)
with Image.open(out) as im:
im.load()
def test_realloc_overflow(self):
TiffImagePlugin.READ_LIBTIFF = True
with Image.open("Tests/images/tiff_overflow_rows_per_strip.tif") as im:
with self.assertRaises(IOError) as e:
im.load()
# Assert that the error code is IMAGING_CODEC_MEMORY
self.assertEqual(str(e.exception), "-9")
TiffImagePlugin.READ_LIBTIFF = False

View File

@ -353,16 +353,18 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
// We could use TIFFTileSize, but for YCbCr data it returns subsampled data size
row_byte_size = (tile_width * state->bits + 7) / 8;
state->bytes = row_byte_size * tile_length;
/* overflow check for malloc */
if (state->bytes > INT_MAX - 1) {
/* overflow check for realloc */
if (INT_MAX / row_byte_size < tile_length) {
state->errcode = IMAGING_CODEC_MEMORY;
TIFFClose(tiff);
return -1;
}
state->bytes = row_byte_size * tile_length;
/* realloc to fit whole tile */
/* malloc check above */
new_data = realloc (state->buffer, state->bytes);
if (!new_data) {
state->errcode = IMAGING_CODEC_MEMORY;
@ -415,11 +417,20 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
// We could use TIFFStripSize, but for YCbCr data it returns subsampled data size
row_byte_size = (state->xsize * state->bits + 7) / 8;
/* overflow check for realloc */
if (INT_MAX / row_byte_size < rows_per_strip) {
state->errcode = IMAGING_CODEC_MEMORY;
TIFFClose(tiff);
return -1;
}
state->bytes = rows_per_strip * row_byte_size;
TRACE(("StripSize: %d \n", state->bytes));
/* realloc to fit whole strip */
/* malloc check above */
new_data = realloc (state->buffer, state->bytes);
if (!new_data) {
state->errcode = IMAGING_CODEC_MEMORY;