mirror of
https://github.com/python-pillow/Pillow.git
synced 2025-01-13 18:56:17 +03:00
Fix FLI DOS -- CVE-2021-28676
* FliDecode did not properly check that the block advance was non-zero, potentally leading to an infinite loop on load. * This dates to the PIL Fork * Found with oss-fuzz
This commit is contained in:
parent
5a5e6db0ab
commit
bb6c11fb88
Binary file not shown.
Binary file not shown.
|
@ -123,3 +123,18 @@ def test_seek():
|
||||||
im.seek(50)
|
im.seek(50)
|
||||||
|
|
||||||
assert_image_equal_tofile(im, "Tests/images/a_fli.png")
|
assert_image_equal_tofile(im, "Tests/images/a_fli.png")
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.parametrize(
|
||||||
|
"test_file",
|
||||||
|
[
|
||||||
|
"Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli",
|
||||||
|
"Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli",
|
||||||
|
],
|
||||||
|
)
|
||||||
|
@pytest.mark.timeout(timeout=3)
|
||||||
|
def test_timeouts(test_file):
|
||||||
|
with open(test_file, "rb") as f:
|
||||||
|
with Image.open(f) as im:
|
||||||
|
with pytest.raises(OSError):
|
||||||
|
im.load()
|
||||||
|
|
|
@ -243,6 +243,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
advance = I32(ptr);
|
advance = I32(ptr);
|
||||||
|
if (advance == 0 ) {
|
||||||
|
// If there's no advance, we're in in infinite loop
|
||||||
|
state->errcode = IMAGING_CODEC_BROKEN;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
if (advance < 0 || advance > bytes) {
|
if (advance < 0 || advance > bytes) {
|
||||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
state->errcode = IMAGING_CODEC_OVERRUN;
|
||||||
return -1;
|
return -1;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user