Map.c overflow fixes

2025-01-11 17:56:18 +03:00 · 2016-09-29 07:05:00 -07:00 · 2016-09-29 07:05:00 -07:00 · c50ebe6459
commit c50ebe6459
parent 5d8a0be45a
3 changed files with 35 additions and 0 deletions
--- a/Tests/images/l2rgb_read.bmp
+++ b/Tests/images/l2rgb_read.bmp
--- a/Tests/test_map.py
+++ b/Tests/test_map.py
@ -0,0 +1,25 @@
+from helper import PillowTestCase, unittest
+
+from PIL import Image
+
+class TestMap(PillowTestCase):
+    def test_overflow(self):
+        # There is the potential to overflow comparisons in map.c
+        # if there are > SIZE_MAX bytes in the image or if
+        # the file encodes an offset that makes
+        # (offset + size(bytes)) > SIZE_MAX
+
+        # Note that this image triggers the decompression bomb warning:
+        max_pixels = Image.MAX_IMAGE_PIXELS
+        Image.MAX_IMAGE_PIXELS = None
+
+        # This image hits the offset test.
+        im = Image.open('Tests/images/l2rgb_read.bmp')
+        with self.assertRaises((ValueError, MemoryError)):
+            im.load()
+
+        Image.MAX_IMAGE_PIXELS = max_pixels
+
+
+if __name__ == '__main__':
+    unittest.main()
--- a/map.c
+++ b/map.c
@ -342,8 +342,18 @@ PyImaging_MapBuffer(PyObject* self, PyObject* args)
            stride = xsize * 4;
    }

+    if (ysize > INT_MAX / stride) {
+        PyErr_SetString(PyExc_MemoryError, "Integer overflow in ysize");
+        return NULL;
+    }
+
    size = (Py_ssize_t) ysize * stride;

+    if (offset > SIZE_MAX - size) {
+        PyErr_SetString(PyExc_MemoryError, "Integer overflow in offset");
+        return NULL;
+    }        
+
    /* check buffer size */
    if (PyImaging_GetBuffer(target, &view) < 0)
        return NULL;