python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2024-12-26 01:46:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix Memory DOS in ImageFont

Browse Source 
* A corrupt or specially crafted TTF font could have font metrics that
  lead to unreasonably large sizes when rendering text in
  font. ImageFont.py did not check the image size before allocating
  memory for it.
* Found with oss-fuzz
* This dates from the PIL fork
This commit is contained in:
Eric Soroos 2021-03-14 23:26:28 +01:00 committed by Hugo van Kemenade
parent bb6c11fb88
commit ba65f0b08e
3 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Tests/fonts/oom-e8e927ba6c0d38274a37c1567560eb33baf74627.ttf Normal file
View File

Binary file not shown.

13
Tests/test_imagefont.py
View File

@ -997,3 +997,16 @@ def test_freetype_deprecation(monkeypatch):
# Act / Assert
with pytest.warns(DeprecationWarning):
ImageFont.truetype(FONT_PATH, FONT_SIZE)
@pytest.mark.parametrize(
"test_file",
[
"Tests/fonts/oom-e8e927ba6c0d38274a37c1567560eb33baf74627.ttf",
],
)
def test_oom(test_file):
with open(test_file, "rb") as f:
font = ImageFont.truetype(BytesIO(f.read()))
with pytest.raises(Image.DecompressionBombError):
font.getmask("Test Text")

1
src/PIL/ImageFont.py
View File

@ -669,6 +669,7 @@ class FreeTypeFont:
)
size = size[0] + stroke_width * 2, size[1] + stroke_width * 2
offset = offset[0] - stroke_width, offset[1] - stroke_width
Image._decompression_bomb_check(size)
im = fill("RGBA" if mode == "RGBA" else "L", size, 0)
self.font.render(
text, im.id, mode, direction, features, language, stroke_width, ink