python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-02-04 13:40:54 +03:00
Code Issues Packages Projects Releases Wiki Activity

Map.c overflow fixes

Browse Source
This commit is contained in:
wiredfool 2016-09-29 07:05:00 -07:00
parent 5d8a0be45a
commit c50ebe6459
3 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Tests/images/l2rgb_read.bmp Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 B

25
Tests/test_map.py Normal file
View File

@ -0,0 +1,25 @@
from helper import PillowTestCase, unittest
from PIL import Image
class TestMap(PillowTestCase):
def test_overflow(self):
# There is the potential to overflow comparisons in map.c
# if there are > SIZE_MAX bytes in the image or if
# the file encodes an offset that makes
# (offset + size(bytes)) > SIZE_MAX
# Note that this image triggers the decompression bomb warning:
max_pixels = Image.MAX_IMAGE_PIXELS
Image.MAX_IMAGE_PIXELS = None
# This image hits the offset test.
im = Image.open('Tests/images/l2rgb_read.bmp')
with self.assertRaises((ValueError, MemoryError)):
im.load()
Image.MAX_IMAGE_PIXELS = max_pixels
if __name__ == '__main__':
unittest.main()

10
map.c
View File

@ -342,8 +342,18 @@ PyImaging_MapBuffer(PyObject* self, PyObject* args)
stride = xsize * 4; stride = xsize * 4;
} }
if (ysize > INT_MAX / stride) {
PyErr_SetString(PyExc_MemoryError, "Integer overflow in ysize");
return NULL;
}
size = (Py_ssize_t) ysize * stride; size = (Py_ssize_t) ysize * stride;
if (offset > SIZE_MAX - size) {
PyErr_SetString(PyExc_MemoryError, "Integer overflow in offset");
return NULL;
}
/* check buffer size */ /* check buffer size */
if (PyImaging_GetBuffer(target, &view) < 0) if (PyImaging_GetBuffer(target, &view) < 0)
return NULL; return NULL;