From 44286ba3c9bfa6ed565d11bd61460d8ec215e1ea Mon Sep 17 00:00:00 2001 From: wiredfool Date: Sun, 30 Nov 2014 23:31:29 -0800 Subject: [PATCH 1/5] Fix for zlib.decompression bomb in iTXt,zTXt, and iCCP chunks --- PIL/PngImagePlugin.py | 13 ++++++++++--- Tests/check_png_dos.py | 24 ++++++++++++++++++++++++ Tests/images/png_decompression_dos.png | Bin 0 -> 6289 bytes 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 Tests/check_png_dos.py create mode 100644 Tests/images/png_decompression_dos.png diff --git a/PIL/PngImagePlugin.py b/PIL/PngImagePlugin.py index 8403461be..514b76f14 100644 --- a/PIL/PngImagePlugin.py +++ b/PIL/PngImagePlugin.py @@ -72,6 +72,13 @@ _MODES = { _simple_palette = re.compile(b'^\xff+\x00\xff*$') +def _safe_zlib_decompress(s): + dobj = zlib.decompressobj() + plaintext = dobj.decompress(s, ImageFile.SAFEBLOCK) + if dobj.unconsumed_tail: + raise ValueError("Decompressed Data Too Large") + return plaintext + # -------------------------------------------------------------------- # Support classes. Suitable for PNG and related formats like MNG etc. @@ -278,7 +285,7 @@ class PngStream(ChunkStream): raise SyntaxError("Unknown compression method %s in iCCP chunk" % comp_method) try: - icc_profile = zlib.decompress(s[i+2:]) + icc_profile = _safe_zlib_decompress(s[i+2:]) except zlib.error: icc_profile = None # FIXME self.im_info["icc_profile"] = icc_profile @@ -391,7 +398,7 @@ class PngStream(ChunkStream): raise SyntaxError("Unknown compression method %s in zTXt chunk" % comp_method) try: - v = zlib.decompress(v[1:]) + v = _safe_zlib_decompress(v[1:]) except zlib.error: v = b"" @@ -421,7 +428,7 @@ class PngStream(ChunkStream): if cf != 0: if cm == 0: try: - v = zlib.decompress(v) + v = _safe_zlib_decompress(v) except zlib.error: return s else: diff --git a/Tests/check_png_dos.py b/Tests/check_png_dos.py new file mode 100644 index 000000000..4e9b76537 --- /dev/null +++ b/Tests/check_png_dos.py @@ -0,0 +1,24 @@ +from helper import unittest, PillowTestCase +import sys +from PIL import Image +from io import BytesIO + +test_file = "Tests/images/png_decompression_dos.png" + +@unittest.skipIf(sys.platform.startswith('win32'), "requires Unix or MacOS") +class TestPngDos(PillowTestCase): + + def test_dos_text(self): + + try: + im = Image.open(test_file) + im.load() + except ValueError as msg: + self.assert_(msg, "Decompressed Data Too Large") + return + + for s in im.text.values(): + self.assert_(len(s) < 1024*1024, "Text chunk larger than 1M") + +if __name__ == '__main__': + unittest.main() diff --git a/Tests/images/png_decompression_dos.png b/Tests/images/png_decompression_dos.png new file mode 100644 index 0000000000000000000000000000000000000000..986561b2e78e76e92e0a8b07886dc26f6444257b GIT binary patch literal 6289 zcmeAS@N?(olHy`uVBq!ia0vp^j3CSbBp9sfW`{B`aPU=yM3f|DrW-OaRLpsM&=92H z&;qa5^Uq1xIe<8$U^E0qLtr!nMnhmU1V%$(c!xj@@8mO4jE~Ov%|>b&7>%|JhIg!w z`ffA?MnhmU1V%$(Gz4&k0HkHWQYFiY)G{z0Z5iMSuTk;Q5Eu=C(GVC7fzc2c-XQ>K p8N9c+xC7`9Q7kcv6U2|zXz1Ea_KC51p1gQu&X%Q~loCIE&GIWYhL literal 0 HcmV?d00001 From b73c4b9e8b4f7bee3ca64ea5524fbf233ac42617 Mon Sep 17 00:00:00 2001 From: wiredfool Date: Sun, 28 Dec 2014 22:34:13 -0800 Subject: [PATCH 2/5] Test change -- different representation for invalid compressed object --- Tests/test_file_png.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tests/test_file_png.py b/Tests/test_file_png.py index 7a43414eb..b556199f5 100644 --- a/Tests/test_file_png.py +++ b/Tests/test_file_png.py @@ -153,7 +153,7 @@ class TestFilePng(PillowTestCase): im = load(HEAD + chunk(b'iTXt', b'spam\0\1\0en\0Spam\0' + zlib.compress(b"egg")[:1]) + TAIL) - self.assertEqual(im.info, {}) + self.assertEqual(im.info, {'spam':''}) im = load(HEAD + chunk(b'iTXt', b'spam\0\1\1en\0Spam\0' + zlib.compress(b"egg")) + TAIL) From 0b75526ffe41a4697231beb8b5740617c98f290b Mon Sep 17 00:00:00 2001 From: wiredfool Date: Mon, 29 Dec 2014 17:10:27 -0800 Subject: [PATCH 3/5] Limit total text chunk size to 64k --- PIL/PngImagePlugin.py | 23 +++++++++++++++++++++-- Tests/check_png_dos.py | 30 +++++++++++++++++++++++++++--- 2 files changed, 48 insertions(+), 5 deletions(-) diff --git a/PIL/PngImagePlugin.py b/PIL/PngImagePlugin.py index 514b76f14..7a9becd3b 100644 --- a/PIL/PngImagePlugin.py +++ b/PIL/PngImagePlugin.py @@ -72,9 +72,15 @@ _MODES = { _simple_palette = re.compile(b'^\xff+\x00\xff*$') +# Maximum decompressed size for a iTXt or zTXt chunk. +# Eliminates decompression bombs where compressed chunks can expand 1000x +MAX_TEXT_CHUNK = ImageFile.SAFEBLOCK +# Set the maximum total text chunk size. +MAX_TEXT_MEMORY = 64 * MAX_TEXT_CHUNK + def _safe_zlib_decompress(s): dobj = zlib.decompressobj() - plaintext = dobj.decompress(s, ImageFile.SAFEBLOCK) + plaintext = dobj.decompress(s, MAX_TEXT_CHUNK) if dobj.unconsumed_tail: raise ValueError("Decompressed Data Too Large") return plaintext @@ -267,6 +273,14 @@ class PngStream(ChunkStream): self.im_tile = None self.im_palette = None + self.text_memory = 0 + + def check_text_memory(self, chunklen): + self.text_memory += chunklen + if self.text_memory > MAX_TEXT_MEMORY: + raise ValueError("Too much memory used in text chunks: %s>MAX_TEXT_MEMORY" % + self.text_memory) + def chunk_iCCP(self, pos, length): # ICC profile @@ -379,6 +393,8 @@ class PngStream(ChunkStream): v = v.decode('latin-1', 'replace') self.im_info[k] = self.im_text[k] = v + self.check_text_memory(len(v)) + return s def chunk_zTXt(self, pos, length): @@ -408,6 +424,8 @@ class PngStream(ChunkStream): v = v.decode('latin-1', 'replace') self.im_info[k] = self.im_text[k] = v + self.check_text_memory(len(v)) + return s def chunk_iTXt(self, pos, length): @@ -443,7 +461,8 @@ class PngStream(ChunkStream): return s self.im_info[k] = self.im_text[k] = iTXt(v, lang, tk) - + self.check_text_memory(len(v)) + return s diff --git a/Tests/check_png_dos.py b/Tests/check_png_dos.py index 4e9b76537..8f974d293 100644 --- a/Tests/check_png_dos.py +++ b/Tests/check_png_dos.py @@ -1,13 +1,12 @@ from helper import unittest, PillowTestCase import sys -from PIL import Image +from PIL import Image, PngImagePlugin from io import BytesIO +import zlib test_file = "Tests/images/png_decompression_dos.png" -@unittest.skipIf(sys.platform.startswith('win32'), "requires Unix or MacOS") class TestPngDos(PillowTestCase): - def test_dos_text(self): try: @@ -20,5 +19,30 @@ class TestPngDos(PillowTestCase): for s in im.text.values(): self.assert_(len(s) < 1024*1024, "Text chunk larger than 1M") + def test_dos_total_memory(self): + im = Image.new('L',(1,1)) + compressed_data = zlib.compress('a'*1024*1023) + + info = PngImagePlugin.PngInfo() + + for x in range(64): + info.add_text('t%s'%x, compressed_data, 1) + info.add_itxt('i%s'%x, compressed_data, zip=True) + + b = BytesIO() + im.save(b, 'PNG', pnginfo=info) + b.seek(0) + + try: + im2 = Image.open(b) + except ValueError as msg: + self.assert_("Too much memory" in msg) + return + + total_len = 0 + for txt in im2.text.values(): + total_len += len(txt) + self.assert_(total_len < 64*1024*1024) + if __name__ == '__main__': unittest.main() From 6696b780e3b38672106c12be12e82f195c93b71a Mon Sep 17 00:00:00 2001 From: wiredfool Date: Tue, 30 Dec 2014 16:57:24 -0800 Subject: [PATCH 4/5] Test style cleanup --- Tests/check_png_dos.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/Tests/check_png_dos.py b/Tests/check_png_dos.py index 8f974d293..c74990a8c 100644 --- a/Tests/check_png_dos.py +++ b/Tests/check_png_dos.py @@ -1,23 +1,22 @@ from helper import unittest, PillowTestCase -import sys from PIL import Image, PngImagePlugin from io import BytesIO import zlib -test_file = "Tests/images/png_decompression_dos.png" +TEST_FILE = "Tests/images/png_decompression_dos.png" class TestPngDos(PillowTestCase): def test_dos_text(self): try: - im = Image.open(test_file) + im = Image.open(TEST_FILE) im.load() except ValueError as msg: - self.assert_(msg, "Decompressed Data Too Large") + self.assertTrue(msg, "Decompressed Data Too Large") return for s in im.text.values(): - self.assert_(len(s) < 1024*1024, "Text chunk larger than 1M") + self.assertLess(len(s), 1024*1024, "Text chunk larger than 1M") def test_dos_total_memory(self): im = Image.new('L',(1,1)) @@ -36,13 +35,13 @@ class TestPngDos(PillowTestCase): try: im2 = Image.open(b) except ValueError as msg: - self.assert_("Too much memory" in msg) + self.assertIn("Too much memory", msg) return total_len = 0 for txt in im2.text.values(): total_len += len(txt) - self.assert_(total_len < 64*1024*1024) + self.assertLess(total_len, 64*1024*1024, "Total text chunks greater than 64M") if __name__ == '__main__': unittest.main() From a59eb3975f9efb1ca88a7e823011ac0968d7d6ea Mon Sep 17 00:00:00 2001 From: wiredfool Date: Tue, 30 Dec 2014 17:06:38 -0800 Subject: [PATCH 5/5] Documentation Update for PNG zlib DOS --- docs/handbook/image-file-formats.rst | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/handbook/image-file-formats.rst b/docs/handbook/image-file-formats.rst index f9216818d..f8db2660f 100644 --- a/docs/handbook/image-file-formats.rst +++ b/docs/handbook/image-file-formats.rst @@ -333,7 +333,12 @@ The :py:meth:`~PIL.Image.Image.open` method sets the following transparent palette image. ``Open`` also sets ``Image.text`` to a list of the values of the -``tEXt``, ``zTXt``, and ``iTXt`` chunks of the PNG image. +``tEXt``, ``zTXt``, and ``iTXt`` chunks of the PNG image. Individual +compressed chunks are limited to a decompressed size of +``PngImagePlugin.MAX_TEXT_CHUNK``, by default 1MB, to prevent +decompression bombs. Additionally, the total size of all of the text +chunks is limited to ``PngImagePlugin.MAX_TEXT_MEMORY``, defaulting to +64MB. The :py:meth:`~PIL.Image.Image.save` method supports the following options: