From 94a0cf1b14f09626c7403af83fa9fef0dfc9bb47 Mon Sep 17 00:00:00 2001 From: Eric Soroos Date: Sun, 8 Aug 2021 13:54:48 +0200 Subject: [PATCH] Fix 6-byte OOB read in FliDecode --- src/libImaging/FliDecode.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c index 3a6030703..7a396fb1f 100644 --- a/src/libImaging/FliDecode.c +++ b/src/libImaging/FliDecode.c @@ -223,8 +223,15 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt break; case 16: /* COPY chunk */ - if (state->xsize > bytes / state->ysize) { + if (INT32_MAX / state->xsize < state->ysize) { + /* Integer overflow, bail */ + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; + } + /* Note, have to check Data + size, not just ptr + size) */ + if (data + (state->xsize * state->ysize) > ptr + bytes) { /* not enough data for frame */ + /* UNDONE Unclear that we're actually going to leave the buffer at the right place. */ return ptr - buf; /* bytes consumed */ } for (y = 0; y < state->ysize; y++) {