CVE-2021-25291, CVE-2020-35654: fix TiffDecode heap-based buffer overflow

CHANGES.rst

@@ -10,6 +10,9 @@ Changelog (Pillow)
 - Catch SGI out-of-bounds reads. CVE 2020-11538
   [ucodery]
 
+- Catch TiffDecode heap-based buffer overflow. CVE 2021-25289
+  [ucodery]
+
 6.2.2 (2020-01-02)
 ------------------
 

Tests/test_tiff_crashes.py

@@ -0,0 +1,11 @@
+import pytest
+
+from PIL import Image
+
+@pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")
+@pytest.mark.filterwarnings("ignore:Metadata warning")
+def test_tiff_crashes():
+    test_file = "Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif"
+    with pytest.raises(IOError):
+        with Image.open(test_file) as im:
+            im.load()

docs/releasenotes/6.2.2.1.rst

@@ -6,5 +6,8 @@ Security
 
 This release addresses CVE-2020-11538.
 
-CVE-2019-11538 is regarding SGI images. An out-of-bounds read can occur in the
+CVE-2020-11538 is regarding SGI images. An out-of-bounds read can occur in the
 parsing of SGI image files.
+
+CVE-2021-25289 is regarding Tiff images. A heap-based buffer overflow can occur
+when decoding crafted YCbCr files.

src/libImaging/TiffDecode.c

@@ -378,6 +378,12 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
 
         for (y = state->yoff; y < state->ysize; y += tile_length) {
             for (x = state->xoff; x < state->xsize; x += tile_width) {
+                if (!TIFFCheckTile(tiff, x, y, 0, 0)) {
+                    TRACE(("Check Tile Error, Tile at %dx%d\n", x, y));
+                    state->errcode = IMAGING_CODEC_BROKEN;
+                    TIFFClose(tiff);
+                    return -1;
+                }
                 if (ReadTile(tiff, x, y, (UINT32*) state->buffer) == -1) {
                     TRACE(("Decode Error, Tile at %dx%d\n", x, y));
                     state->errcode = IMAGING_CODEC_BROKEN;