mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-12-25 17:36:18 +03:00
Fix FLI DOS -- CVE-2021-28676
* FliDecode did not properly check that the block advance was non-zero, potentally leading to an infinite loop on load. * This dates to the PIL Fork * Found with oss-fuzz
This commit is contained in:
parent
5a5e6db0ab
commit
bb6c11fb88
Binary file not shown.
Binary file not shown.
|
@ -123,3 +123,18 @@ def test_seek():
|
|||
im.seek(50)
|
||||
|
||||
assert_image_equal_tofile(im, "Tests/images/a_fli.png")
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"test_file",
|
||||
[
|
||||
"Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli",
|
||||
"Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli",
|
||||
],
|
||||
)
|
||||
@pytest.mark.timeout(timeout=3)
|
||||
def test_timeouts(test_file):
|
||||
with open(test_file, "rb") as f:
|
||||
with Image.open(f) as im:
|
||||
with pytest.raises(OSError):
|
||||
im.load()
|
||||
|
|
|
@ -243,6 +243,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt
|
|||
return -1;
|
||||
}
|
||||
advance = I32(ptr);
|
||||
if (advance == 0 ) {
|
||||
// If there's no advance, we're in in infinite loop
|
||||
state->errcode = IMAGING_CODEC_BROKEN;
|
||||
return -1;
|
||||
}
|
||||
if (advance < 0 || advance > bytes) {
|
||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
return -1;
|
||||
|
|
Loading…
Reference in New Issue
Block a user