Merge pull request #4101 from radarhere/negative_seek

Corrected negative seeks
This commit is contained in:
Andrew Murray 2019-09-30 19:29:54 +10:00 committed by GitHub
commit b36c1bc943
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 30 additions and 4 deletions

Binary file not shown.

Binary file not shown.

View File

@ -87,3 +87,12 @@ class TestImagePsd(PillowTestCase):
im = Image.open("Tests/images/hopper_merged.psd")
self.assertNotIn("icc_profile", im.info)
def test_combined_larger_than_size(self):
# The 'combined' sizes of the individual parts is larger than the
# declared 'size' of the extra data field, resulting in a backwards seek.
# If we instead take the 'size' of the extra data field as the source of truth,
# then the seek can't be negative
with self.assertRaises(IOError):
Image.open("Tests/images/combined_larger_than_size.psd")

View File

@ -103,6 +103,14 @@ class TestImageFile(PillowTestCase):
parser = ImageFile.Parser()
parser.feed(1)
def test_negative_stride(self):
with open("Tests/images/raw_negative_stride.bin", "rb") as f:
input = f.read()
p = ImageFile.Parser()
p.feed(input)
with self.assertRaises(IOError):
p.close()
def test_truncated_with_errors(self):
if "zip_encoder" not in codecs:
self.skipTest("PNG (zlib) encoder not available")

View File

@ -224,9 +224,11 @@ def _layerinfo(file):
# skip over blend flags and extra information
read(12) # filler
name = ""
size = i32(read(4))
size = i32(read(4)) # length of the extra data field
combined = 0
if size:
data_end = file.tell() + size
length = i32(read(4))
if length:
file.seek(length - 16, io.SEEK_CUR)
@ -244,7 +246,7 @@ def _layerinfo(file):
name = read(length).decode("latin-1", "replace")
combined += length + 1
file.seek(size - combined, io.SEEK_CUR)
file.seek(data_end)
layers.append((name, mode, (x0, y0, x1, y1)))
# get tiles

View File

@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
/* get size of image data and padding */
state->bytes = (state->xsize * state->bits + 7) / 8;
rawstate->skip = (rawstate->stride) ?
rawstate->stride - state->bytes : 0;
if (rawstate->stride) {
rawstate->skip = rawstate->stride - state->bytes;
if (rawstate->skip < 0) {
state->errcode = IMAGING_CODEC_CONFIG;
return -1;
}
} else {
rawstate->skip = 0;
}
/* check image orientation */
if (state->ystep < 0) {