CVE-2020-11538: fix SGI-RLE buffer overflow

Tests/test_sgi_crash.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python
+import pytest
+from PIL import Image
+
+
+def test_crashes():
+    with open("Tests/images/sgi_crash.bin", "rb") as f:
+        im = Image.open(f)
+        with pytest.raises(IOError):
+            im.load()
+
+
+def test_overrun_crashes():
+    with open("Tests/images/sgi_overrun_expandrowF04.bin", "rb") as f:
+        im = Image.open(f)
+        with pytest.raises(IOError):
+            im.load()

src/libImaging/SgiRleDecode.c

@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf)
 static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
 {
     UINT8 pixel, count;
+    int x = 0;
 
     for (;n > 0; n--)
     {
@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
         count = pixel & RLE_MAX_RUN;
         if (!count)
             return count;
-        if (count > xsize) {
+        if (x + count > xsize) {
             return -1;
         }
+        x += count;
         if (pixel & RLE_COPY_FLAG) {
             while(count--) {
                 *dest = *src++;
@@ -62,6 +64,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
 static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
 {
     UINT8 pixel, count;
+    int x = 0;
 
 
     for (;n > 0; n--)
@@ -73,9 +76,10 @@ static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
         count = pixel & RLE_MAX_RUN;
         if (!count)
             return count;
-        if (count > xsize) {
+        if (x + count > xsize) {
             return -1;
         }
+        x += count;
         if (pixel & RLE_COPY_FLAG) {
             while(count--) {
                 memcpy(dest, src, 2);