Fix FLI DOS -- CVE-2021-28676

* FliDecode did not properly check that the block advance was non-zero, potentally leading to an infinite loop on load. * This dates to the PIL Fork * Found with oss-fuzz
2025-11-04 09:57:43 +03:00 · 2021-03-11 22:12:35 +01:00 · 2021-03-11 22:12:35 +01:00 · bb6c11fb88
commit bb6c11fb88
parent 5a5e6db0ab
4 changed files with 20 additions and 0 deletions
--- a/Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli
+++ b/Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli
--- a/Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli
+++ b/Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli
--- a/Tests/test_file_fli.py
+++ b/Tests/test_file_fli.py
@ -123,3 +123,18 @@ def test_seek():
        im.seek(50)

        assert_image_equal_tofile(im, "Tests/images/a_fli.png")
+
+
+@pytest.mark.parametrize(
+    "test_file",
+    [
+        "Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli",
+        "Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli",
+    ],
+)
+@pytest.mark.timeout(timeout=3)
+def test_timeouts(test_file):
+    with open(test_file, "rb") as f:
+        with Image.open(f) as im:
+            with pytest.raises(OSError):
+                im.load()
--- a/src/libImaging/FliDecode.c
+++ b/src/libImaging/FliDecode.c
@ -243,6 +243,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt
                return -1;
        }
        advance = I32(ptr);
+        if (advance == 0 ) {
+            // If there's no advance, we're in in infinite loop
+            state->errcode = IMAGING_CODEC_BROKEN;
+            return -1;
+        }
        if (advance < 0 || advance > bytes) {
            state->errcode = IMAGING_CODEC_OVERRUN;
            return -1;