mirror of
				https://github.com/python-pillow/Pillow.git
				synced 2025-10-26 13:41:08 +03:00 
			
		
		
		
	Catch FLI buffer overrun
This commit is contained in:
		
							parent
							
								
									774e53bb13
								
							
						
					
					
						commit
						a09acd0dec
					
				
							
								
								
									
										
											BIN
										
									
								
								Tests/images/fli_overrun2.bin
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								Tests/images/fli_overrun2.bin
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							|  | @ -598,6 +598,13 @@ class TestImage(PillowTestCase): | ||||||
|             except IOError as e: |             except IOError as e: | ||||||
|                 self.assertEqual(str(e), "buffer overrun when reading image file") |                 self.assertEqual(str(e), "buffer overrun when reading image file") | ||||||
| 
 | 
 | ||||||
|  |         with Image.open("Tests/images/fli_overrun2.bin") as im: | ||||||
|  |             try: | ||||||
|  |                 im.seek(1) | ||||||
|  |                 self.assertFail() | ||||||
|  |             except IOError as e: | ||||||
|  |                 self.assertEqual(str(e), "buffer overrun when reading image file") | ||||||
|  | 
 | ||||||
| 
 | 
 | ||||||
| class MockEncoder(object): | class MockEncoder(object): | ||||||
|     pass |     pass | ||||||
|  |  | ||||||
|  | @ -40,8 +40,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt | ||||||
| 	return 0; | 	return 0; | ||||||
| 
 | 
 | ||||||
|     /* We don't decode anything unless we have a full chunk in the
 |     /* We don't decode anything unless we have a full chunk in the
 | ||||||
|        input buffer (on the other hand, the Python part of the driver |        input buffer */ | ||||||
|        makes sure this is always the case) */ |  | ||||||
| 
 | 
 | ||||||
|     ptr = buf; |     ptr = buf; | ||||||
| 
 | 
 | ||||||
|  | @ -52,6 +51,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt | ||||||
|     /* Make sure this is a frame chunk.  The Python driver takes
 |     /* Make sure this is a frame chunk.  The Python driver takes
 | ||||||
|        case of other chunk types. */ |        case of other chunk types. */ | ||||||
| 
 | 
 | ||||||
|  |     if (bytes < 8) { | ||||||
|  |         state->errcode = IMAGING_CODEC_OVERRUN; | ||||||
|  |         return -1; | ||||||
|  |     } | ||||||
|     if (I16(ptr+4) != 0xF1FA) { |     if (I16(ptr+4) != 0xF1FA) { | ||||||
| 	state->errcode = IMAGING_CODEC_UNKNOWN; | 	state->errcode = IMAGING_CODEC_UNKNOWN; | ||||||
| 	return -1; | 	return -1; | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user