python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-02-10 08:30:49 +03:00
Code Issues Packages Projects Releases Wiki Activity

Catch buffer overruns

Browse Source
This commit is contained in:
Andrew Murray 2019-09-30 18:45:43 +10:00
parent 152ed62b21
commit ab52630d06
7 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Tests/images/fli_overrun.bin Normal file
View File

Binary file not shown.

BIN
Tests/images/pcx_overrun.bin Normal file
View File

Binary file not shown.

BIN
Tests/images/sgi_overrun.bin Normal file
View File

Binary file not shown.

9
Tests/test_image.py
View File

@ -589,6 +589,15 @@ class TestImage(PillowTestCase):
self.assertFalse(fp.closed) self.assertFalse(fp.closed)
def test_overrun(self):
for file in ["fli_overrun.bin", "sgi_overrun.bin", "pcx_overrun.bin"]:
im = Image.open(os.path.join("Tests/images", file))
try:
im.load()
self.assertFail()
except IOError as e:
self.assertEqual(str(e), "buffer overrun when reading image file")
class MockEncoder(object): class MockEncoder(object):
pass pass

14
src/libImaging/FliDecode.c
View File

@ -30,7 +30,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
{ {
UINT8* ptr; UINT8* ptr;
int framesize; int framesize;
int c, chunks; int c, chunks, advance;
int l, lines; int l, lines;
int i, j, x = 0, y, ymax; int i, j, x = 0, y, ymax;
@ -59,10 +59,16 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
chunks = I16(ptr+6); chunks = I16(ptr+6);
ptr += 16; ptr += 16;
bytes -= 16;
/* Process subchunks */ /* Process subchunks */
for (c = 0; c < chunks; c++) { for (c = 0; c < chunks; c++) {
UINT8 *data = ptr + 6; UINT8* data;
if (bytes < 10) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
}
data = ptr + 6;
switch (I16(ptr+4)) { switch (I16(ptr+4)) {
case 4: case 11: case 4: case 11:
/* FLI COLOR chunk */ /* FLI COLOR chunk */
@ -198,7 +204,9 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
state->errcode = IMAGING_CODEC_UNKNOWN; state->errcode = IMAGING_CODEC_UNKNOWN;
return -1; return -1;
} }
ptr += I32(ptr); advance = I32(ptr);
ptr += advance;
bytes -= advance;
} }
return -1; /* end of frame */ return -1; /* end of frame */

5
src/libImaging/PcxDecode.c
View File

@ -22,6 +22,11 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
UINT8 n; UINT8 n;
UINT8* ptr; UINT8* ptr;
if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
}
ptr = buf; ptr = buf;
for (;;) { for (;;) {

5
src/libImaging/SgiRleDecode.c
View File

@ -157,6 +157,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize]; c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];
c->rleoffset -= SGI_HEADER_SIZE; c->rleoffset -= SGI_HEADER_SIZE;
if (c->rleoffset + c->rlelength > c->bufsize) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
}
/* row decompression */ /* row decompression */
if (c->bpc ==1) { if (c->bpc ==1) {
if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands)) if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))