diff --git a/Tests/images/combined_larger_than_size.psd b/Tests/images/combined_larger_than_size.psd new file mode 100644 index 000000000..2e6caef39 Binary files /dev/null and b/Tests/images/combined_larger_than_size.psd differ diff --git a/Tests/images/raw_negative_stride.bin b/Tests/images/raw_negative_stride.bin new file mode 100644 index 000000000..312e82a5f Binary files /dev/null and b/Tests/images/raw_negative_stride.bin differ diff --git a/Tests/test_file_psd.py b/Tests/test_file_psd.py index f55ee1dcb..8381ceaef 100644 --- a/Tests/test_file_psd.py +++ b/Tests/test_file_psd.py @@ -87,3 +87,12 @@ class TestImagePsd(PillowTestCase): im = Image.open("Tests/images/hopper_merged.psd") self.assertNotIn("icc_profile", im.info) + + def test_combined_larger_than_size(self): + # The 'combined' sizes of the individual parts is larger than the + # declared 'size' of the extra data field, resulting in a backwards seek. + + # If we instead take the 'size' of the extra data field as the source of truth, + # then the seek can't be negative + with self.assertRaises(IOError): + Image.open("Tests/images/combined_larger_than_size.psd") diff --git a/Tests/test_imagefile.py b/Tests/test_imagefile.py index ceccd2285..a367f62df 100644 --- a/Tests/test_imagefile.py +++ b/Tests/test_imagefile.py @@ -103,6 +103,14 @@ class TestImageFile(PillowTestCase): parser = ImageFile.Parser() parser.feed(1) + def test_negative_stride(self): + with open("Tests/images/raw_negative_stride.bin", "rb") as f: + input = f.read() + p = ImageFile.Parser() + p.feed(input) + with self.assertRaises(IOError): + p.close() + def test_truncated_with_errors(self): if "zip_encoder" not in codecs: self.skipTest("PNG (zlib) encoder not available") diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py index 9eb0c0966..f72ad5f44 100644 --- a/src/PIL/PsdImagePlugin.py +++ b/src/PIL/PsdImagePlugin.py @@ -224,9 +224,11 @@ def _layerinfo(file): # skip over blend flags and extra information read(12) # filler name = "" - size = i32(read(4)) + size = i32(read(4)) # length of the extra data field combined = 0 if size: + data_end = file.tell() + size + length = i32(read(4)) if length: file.seek(length - 16, io.SEEK_CUR) @@ -244,7 +246,7 @@ def _layerinfo(file): name = read(length).decode("latin-1", "replace") combined += length + 1 - file.seek(size - combined, io.SEEK_CUR) + file.seek(data_end) layers.append((name, mode, (x0, y0, x1, y1))) # get tiles diff --git a/src/libImaging/RawDecode.c b/src/libImaging/RawDecode.c index 774d4245b..c069bdb88 100644 --- a/src/libImaging/RawDecode.c +++ b/src/libImaging/RawDecode.c @@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt /* get size of image data and padding */ state->bytes = (state->xsize * state->bits + 7) / 8; - rawstate->skip = (rawstate->stride) ? - rawstate->stride - state->bytes : 0; + if (rawstate->stride) { + rawstate->skip = rawstate->stride - state->bytes; + if (rawstate->skip < 0) { + state->errcode = IMAGING_CODEC_CONFIG; + return -1; + } + } else { + rawstate->skip = 0; + } /* check image orientation */ if (state->ystep < 0) {