python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-27 09:44:31 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix OOB Reads in SS2 Chunk

Browse Source
This commit is contained in:
Eric Soroos 2020-03-05 09:11:50 +00:00 committed by Hugo
parent f6926a041b
commit b4e439d6d7
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/libImaging/FliDecode.c
View File

@ -83,10 +83,12 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
break; /* ignored; handled by Python code */ break; /* ignored; handled by Python code */
case 7: case 7:
/* FLI SS2 chunk (word delta) */ /* FLI SS2 chunk (word delta) */
/* OOB ok, we've got 10 bytes min on entry */
lines = I16(data); data += 2; lines = I16(data); data += 2;
for (l = y = 0; l < lines && y < state->ysize; l++, y++) { for (l = y = 0; l < lines && y < state->ysize; l++, y++) {
UINT8* buf = (UINT8*) im->image[y]; UINT8* buf = (UINT8*) im->image[y];
int p, packets; int p, packets;
ERR_IF_DATA_OOB(2)
packets = I16(data); data += 2; packets = I16(data); data += 2;
while (packets & 0x8000) { while (packets & 0x8000) {
/* flag word */ /* flag word */
@ -101,11 +103,14 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
/* store last byte (used if line width is odd) */ /* store last byte (used if line width is odd) */
buf[state->xsize-1] = (UINT8) packets; buf[state->xsize-1] = (UINT8) packets;
} }
ERR_IF_DATA_OOB(2)
packets = I16(data); data += 2; packets = I16(data); data += 2;
} }
for (p = x = 0; p < packets; p++) { for (p = x = 0; p < packets; p++) {
ERR_IF_DATA_OOB(2)
x += data[0]; /* pixel skip */ x += data[0]; /* pixel skip */
if (data[1] >= 128) { if (data[1] >= 128) {
ERR_IF_DATA_OOB(4)
i = 256-data[1]; /* run */ i = 256-data[1]; /* run */
if (x + i + i > state->xsize) if (x + i + i > state->xsize)
break; break;
@ -118,6 +123,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
i = 2 * (int) data[1]; /* chunk */ i = 2 * (int) data[1]; /* chunk */
if (x + i > state->xsize) if (x + i > state->xsize)
break; break;
ERR_IF_DATA_OOB(2+i)
memcpy(buf + x, data + 2, i); memcpy(buf + x, data + 2, i);
data += 2 + i; data += 2 + i;
x += i; x += i;