mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-12-25 17:36:18 +03:00
Fix Memory DOS in ImageFont
* A corrupt or specially crafted TTF font could have font metrics that lead to unreasonably large sizes when rendering text in font. ImageFont.py did not check the image size before allocating memory for it. * Found with oss-fuzz * This dates from the PIL fork
This commit is contained in:
parent
bb6c11fb88
commit
ba65f0b08e
BIN
Tests/fonts/oom-e8e927ba6c0d38274a37c1567560eb33baf74627.ttf
Normal file
BIN
Tests/fonts/oom-e8e927ba6c0d38274a37c1567560eb33baf74627.ttf
Normal file
Binary file not shown.
|
@ -997,3 +997,16 @@ def test_freetype_deprecation(monkeypatch):
|
|||
# Act / Assert
|
||||
with pytest.warns(DeprecationWarning):
|
||||
ImageFont.truetype(FONT_PATH, FONT_SIZE)
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"test_file",
|
||||
[
|
||||
"Tests/fonts/oom-e8e927ba6c0d38274a37c1567560eb33baf74627.ttf",
|
||||
],
|
||||
)
|
||||
def test_oom(test_file):
|
||||
with open(test_file, "rb") as f:
|
||||
font = ImageFont.truetype(BytesIO(f.read()))
|
||||
with pytest.raises(Image.DecompressionBombError):
|
||||
font.getmask("Test Text")
|
||||
|
|
|
@ -669,6 +669,7 @@ class FreeTypeFont:
|
|||
)
|
||||
size = size[0] + stroke_width * 2, size[1] + stroke_width * 2
|
||||
offset = offset[0] - stroke_width, offset[1] - stroke_width
|
||||
Image._decompression_bomb_check(size)
|
||||
im = fill("RGBA" if mode == "RGBA" else "L", size, 0)
|
||||
self.font.render(
|
||||
text, im.id, mode, direction, features, language, stroke_width, ink
|
||||
|
|
Loading…
Reference in New Issue
Block a user