python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-13 10:46:16 +03:00
Code Issues Packages Projects Releases Wiki Activity

Overflow checks for realloc for tiff decoding

Browse Source
This commit is contained in:
Andrew Murray 2020-01-01 16:38:37 +11:00
parent be44f0d992
commit b9c68540dc
3 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Tests/images/tiff_overflow_rows_per_strip.tif Normal file
View File

Binary file not shown.

10
Tests/test_file_libtiff.py
View File

@ -841,3 +841,13 @@ class TestFileLibTiff(LibTiffTestCase):
out.seek(0) out.seek(0)
with Image.open(out) as im: with Image.open(out) as im:
im.load() im.load()
def test_realloc_overflow(self):
TiffImagePlugin.READ_LIBTIFF = True
with Image.open("Tests/images/tiff_overflow_rows_per_strip.tif") as im:
with self.assertRaises(IOError) as e:
im.load()
# Assert that the error code is IMAGING_CODEC_MEMORY
self.assertEqual(str(e.exception), "-9")
TiffImagePlugin.READ_LIBTIFF = False

17
src/libImaging/TiffDecode.c
View File

@ -353,16 +353,18 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
// We could use TIFFTileSize, but for YCbCr data it returns subsampled data size // We could use TIFFTileSize, but for YCbCr data it returns subsampled data size
row_byte_size = (tile_width * state->bits + 7) / 8; row_byte_size = (tile_width * state->bits + 7) / 8;
state->bytes = row_byte_size * tile_length;
/* overflow check for malloc */ /* overflow check for realloc */
if (state->bytes > INT_MAX - 1) { if (INT_MAX / row_byte_size < tile_length) {
state->errcode = IMAGING_CODEC_MEMORY; state->errcode = IMAGING_CODEC_MEMORY;
TIFFClose(tiff); TIFFClose(tiff);
return -1; return -1;
} }
state->bytes = row_byte_size * tile_length;
/* realloc to fit whole tile */ /* realloc to fit whole tile */
/* malloc check above */
new_data = realloc (state->buffer, state->bytes); new_data = realloc (state->buffer, state->bytes);
if (!new_data) { if (!new_data) {
state->errcode = IMAGING_CODEC_MEMORY; state->errcode = IMAGING_CODEC_MEMORY;
@ -415,11 +417,20 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
// We could use TIFFStripSize, but for YCbCr data it returns subsampled data size // We could use TIFFStripSize, but for YCbCr data it returns subsampled data size
row_byte_size = (state->xsize * state->bits + 7) / 8; row_byte_size = (state->xsize * state->bits + 7) / 8;
/* overflow check for realloc */
if (INT_MAX / row_byte_size < rows_per_strip) {
state->errcode = IMAGING_CODEC_MEMORY;
TIFFClose(tiff);
return -1;
}
state->bytes = rows_per_strip * row_byte_size; state->bytes = rows_per_strip * row_byte_size;
TRACE(("StripSize: %d \n", state->bytes)); TRACE(("StripSize: %d \n", state->bytes));
/* realloc to fit whole strip */ /* realloc to fit whole strip */
/* malloc check above */
new_data = realloc (state->buffer, state->bytes); new_data = realloc (state->buffer, state->bytes);
if (!new_data) { if (!new_data) {
state->errcode = IMAGING_CODEC_MEMORY; state->errcode = IMAGING_CODEC_MEMORY;