python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-01-13 02:36:17 +03:00
Code Issues Packages Projects Releases Wiki Activity

Catch SGI buffer overruns

Browse Source
This commit is contained in:
Andrew Murray 2020-01-01 14:16:45 +11:00
parent 8f0c8f7311
commit be44f0d992
4 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Tests/images/sgi_overrun_expandrow.bin Normal file
View File

Binary file not shown.

BIN
Tests/images/sgi_overrun_expandrow2.bin Normal file
View File

Binary file not shown.

2
Tests/test_image.py
View File

@ -593,6 +593,8 @@ class TestImage(PillowTestCase):
for file in [ for file in [
"fli_overrun.bin", "fli_overrun.bin",
"sgi_overrun.bin", "sgi_overrun.bin",
"sgi_overrun_expandrow.bin",
"sgi_overrun_expandrow2.bin",
"pcx_overrun.bin", "pcx_overrun.bin",
"pcx_overrun2.bin", "pcx_overrun2.bin",
]: ]:

23
src/libImaging/SgiRleDecode.c
View File

@ -25,7 +25,7 @@ static void read4B(UINT32* dest, UINT8* buf)
*dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]); *dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
} }
static int expandrow(UINT8* dest, UINT8* src, int n, int z) static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
{ {
UINT8 pixel, count; UINT8 pixel, count;
@ -37,6 +37,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
count = pixel & RLE_MAX_RUN; count = pixel & RLE_MAX_RUN;
if (!count) if (!count)
return count; return count;
if (count > xsize) {
return -1;
}
if (pixel & RLE_COPY_FLAG) { if (pixel & RLE_COPY_FLAG) {
while(count--) { while(count--) {
*dest = *src++; *dest = *src++;
@ -56,7 +59,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
return 0; return 0;
} }
static int expandrow2(UINT8* dest, const UINT8* src, int n, int z) static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
{ {
UINT8 pixel, count; UINT8 pixel, count;
@ -70,6 +73,9 @@ static int expandrow2(UINT8* dest, const UINT8* src, int n, int z)
count = pixel & RLE_MAX_RUN; count = pixel & RLE_MAX_RUN;
if (!count) if (!count)
return count; return count;
if (count > xsize) {
return -1;
}
if (pixel & RLE_COPY_FLAG) { if (pixel & RLE_COPY_FLAG) {
while(count--) { while(count--) {
memcpy(dest, src, 2); memcpy(dest, src, 2);
@ -96,6 +102,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
UINT8 *ptr; UINT8 *ptr;
SGISTATE *c; SGISTATE *c;
int err = 0; int err = 0;
int status;
/* Get all data from File descriptor */ /* Get all data from File descriptor */
c = (SGISTATE*)state->context; c = (SGISTATE*)state->context;
@ -164,12 +171,16 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
/* row decompression */ /* row decompression */
if (c->bpc ==1) { if (c->bpc ==1) {
if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands)) status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
goto sgi_finish_decode;
} }
else { else {
if(expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands)) status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
goto sgi_finish_decode; }
if (status == -1) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
} else if (status == 1) {
goto sgi_finish_decode;
} }
state->count += c->rlelength; state->count += c->rlelength;