Catch PCX P mode buffer overrun

This commit is contained in:
Andrew Murray 2019-12-21 18:38:22 +11:00
parent a09acd0dec
commit 93b22b846e
3 changed files with 9 additions and 1 deletions

Binary file not shown.

View File

@ -590,7 +590,12 @@ class TestImage(PillowTestCase):
self.assertFalse(fp.closed) self.assertFalse(fp.closed)
def test_overrun(self): def test_overrun(self):
for file in ["fli_overrun.bin", "sgi_overrun.bin", "pcx_overrun.bin"]: for file in [
"fli_overrun.bin",
"sgi_overrun.bin",
"pcx_overrun.bin",
"pcx_overrun2.bin",
]:
im = Image.open(os.path.join("Tests/images", file)) im = Image.open(os.path.join("Tests/images", file))
try: try:
im.load() im.load()

View File

@ -25,6 +25,9 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) { if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
state->errcode = IMAGING_CODEC_OVERRUN; state->errcode = IMAGING_CODEC_OVERRUN;
return -1; return -1;
} else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
} }
ptr = buf; ptr = buf;