python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-11 17:56:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix for SGI Decode buffer overrun CVE-2020-35655

Browse Source 
* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz.
This commit is contained in:
Eric Soroos 2020-10-29 23:07:15 +00:00 committed by Andrew Murray
parent e6ef8a6c09
commit 7e95c63fa7
4 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Tests/images/crash-6b7f2244da6d0ae297ee0754a424213444e92778.sgi Normal file
View File

Binary file not shown.

BIN
Tests/images/ossfuzz-5730089102868480.sgi Normal file
View File

Binary file not shown.

8
Tests/test_sgi_crash.py
View File

@ -6,7 +6,13 @@ from PIL import Image
@pytest.mark.parametrize( @pytest.mark.parametrize(
"test_file", "test_file",
["Tests/images/sgi_overrun_expandrowF04.bin", "Tests/images/sgi_crash.bin"], [
"Tests/images/sgi_overrun_expandrowF04.bin",
"Tests/images/sgi_crash.bin",
"Tests/images/crash-6b7f2244da6d0ae297ee0754a424213444e92778.sgi",
"Tests/images/ossfuzz-5730089102868480.sgi",
],
) )
def test_crashes(test_file): def test_crashes(test_file):
with open(test_file, "rb") as f: with open(test_file, "rb") as f:

23
src/libImaging/SgiRleDecode.c
View File

@ -112,11 +112,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
int err = 0; int err = 0;
int status; int status;
/* size check */
if (im->xsize > INT_MAX / im->bands ||
im->ysize > INT_MAX / im->bands) {
return IMAGING_CODEC_MEMORY;
}
/* Get all data from File descriptor */ /* Get all data from File descriptor */
c = (SGISTATE*)state->context; c = (SGISTATE*)state->context;
_imaging_seek_pyFd(state->fd, 0L, SEEK_END); _imaging_seek_pyFd(state->fd, 0L, SEEK_END);
c->bufsize = _imaging_tell_pyFd(state->fd); c->bufsize = _imaging_tell_pyFd(state->fd);
c->bufsize -= SGI_HEADER_SIZE; c->bufsize -= SGI_HEADER_SIZE;
c->tablen = im->bands * im->ysize;
/* below, we populate the starttab and lentab into the bufsize,
each with 4 bytes per element of tablen
Check here before we allocate any memory
*/
if (c->bufsize < 8*c->tablen) {
return IMAGING_CODEC_MEMORY;
}
ptr = malloc(sizeof(UINT8) * c->bufsize); ptr = malloc(sizeof(UINT8) * c->bufsize);
if (!ptr) { if (!ptr) {
return IMAGING_CODEC_MEMORY; return IMAGING_CODEC_MEMORY;
@ -134,18 +150,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
state->ystep = 1; state->ystep = 1;
} }
if (im->xsize > INT_MAX / im->bands ||
im->ysize > INT_MAX / im->bands) {
err = IMAGING_CODEC_MEMORY;
goto sgi_finish_decode;
}
/* Allocate memory for RLE tables and rows */ /* Allocate memory for RLE tables and rows */
free(state->buffer); free(state->buffer);
state->buffer = NULL; state->buffer = NULL;
/* malloc overflow check above */ /* malloc overflow check above */
state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2); state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
c->tablen = im->bands * im->ysize;
c->starttab = calloc(c->tablen, sizeof(UINT32)); c->starttab = calloc(c->tablen, sizeof(UINT32));
c->lengthtab = calloc(c->tablen, sizeof(UINT32)); c->lengthtab = calloc(c->tablen, sizeof(UINT32));
if (!state->buffer || if (!state->buffer ||