python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-12 10:16:17 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix 6-byte OOB read in FliDecode

Browse Source
This commit is contained in:
Eric Soroos 2021-08-08 13:54:48 +02:00 committed by Hugo van Kemenade
parent cece64f4be
commit 94a0cf1b14
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/libImaging/FliDecode.c
View File

@ -223,8 +223,15 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt
break;
case 16:
/* COPY chunk */
if (state->xsize > bytes / state->ysize) {
if (INT32_MAX / state->xsize < state->ysize) {
/* Integer overflow, bail */
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
}
/* Note, have to check Data + size, not just ptr + size) */
if (data + (state->xsize * state->ysize) > ptr + bytes) {
/* not enough data for frame */
/* UNDONE Unclear that we're actually going to leave the buffer at the right place. */
return ptr - buf; /* bytes consumed */
}
for (y = 0; y < state->ysize; y++) {