python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2024-12-26 18:06:18 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix FLI DOS -- CVE-2021-28676

Browse Source 
* FliDecode did not properly check that the block advance was
  non-zero, potentally leading to an infinite loop on load.
* This dates to the PIL Fork
* Found with oss-fuzz
This commit is contained in:
Eric Soroos 2021-03-11 22:12:35 +01:00 committed by Hugo van Kemenade
parent 5a5e6db0ab
commit bb6c11fb88
4 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli Normal file
View File

Binary file not shown.

BIN
Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli Normal file
View File

Binary file not shown.

15
Tests/test_file_fli.py
View File

@ -123,3 +123,18 @@ def test_seek():
im.seek(50) im.seek(50)
assert_image_equal_tofile(im, "Tests/images/a_fli.png") assert_image_equal_tofile(im, "Tests/images/a_fli.png")
@pytest.mark.parametrize(
"test_file",
[
"Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli",
"Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli",
],
)
@pytest.mark.timeout(timeout=3)
def test_timeouts(test_file):
with open(test_file, "rb") as f:
with Image.open(f) as im:
with pytest.raises(OSError):
im.load()

5
src/libImaging/FliDecode.c
View File

@ -243,6 +243,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt
return -1; return -1;
} }
advance = I32(ptr); advance = I32(ptr);
if (advance == 0 ) {
// If there's no advance, we're in in infinite loop
state->errcode = IMAGING_CODEC_BROKEN;
return -1;
}
if (advance < 0 || advance > bytes) { if (advance < 0 || advance > bytes) {
state->errcode = IMAGING_CODEC_OVERRUN; state->errcode = IMAGING_CODEC_OVERRUN;
return -1; return -1;