python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-26 09:14:27 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix 6-byte OOB read in FliDecode

Browse Source
This commit is contained in:
Eric Soroos 2021-08-08 13:54:48 +02:00 committed by Hugo van Kemenade
parent cece64f4be
commit 94a0cf1b14
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/libImaging/FliDecode.c
View File

@ -223,8 +223,15 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt
break; break;
case 16: case 16:
/* COPY chunk */ /* COPY chunk */
if (state->xsize > bytes / state->ysize) { if (INT32_MAX / state->xsize < state->ysize) {
/* Integer overflow, bail */
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
}
/* Note, have to check Data + size, not just ptr + size) */
if (data + (state->xsize * state->ysize) > ptr + bytes) {
/* not enough data for frame */ /* not enough data for frame */
/* UNDONE Unclear that we're actually going to leave the buffer at the right place. */
return ptr - buf; /* bytes consumed */ return ptr - buf; /* bytes consumed */
} }
for (y = 0; y < state->ysize; y++) { for (y = 0; y < state->ysize; y++) {