Fix for integer overflow in path.c

2024-11-10 19:56:47 +03:00 · 2016-03-15 19:56:40 +00:00 · 2016-03-15 19:56:40 +00:00 · c6ec3be0d6
commit c6ec3be0d6
parent d3727b523e
2 changed files with 33 additions and 1 deletions
--- a/Tests/test_imagepath.py
+++ b/Tests/test_imagepath.py
@ -3,7 +3,7 @@ from helper import unittest, PillowTestCase
 from PIL import ImagePath

 import array
-
+import struct

 class TestImagePath(PillowTestCase):

@ -62,6 +62,34 @@ class TestImagePath(PillowTestCase):
        self.assertEqual(list(p), [(0.0, 1.0)])


+    def test_overflow_segfault(self):
+        try:
+            # post patch, this fails with a memory error
+            x = evil()
+            
+            # This fails due to the invalid malloc above,
+            # and segfaults
+            for i in xrange(200000):
+                x[i] = "0"*16
+                
+        except MemoryError as msg:
+            self.assertTrue(msg)
+        except:
+            self.asserTrue(False, "Should have received a memory error")
+
+
+class evil:
+	def __init__(self):
+		self.corrupt = ImagePath.Path(0x4000000000000000)
+
+	def __getitem__(self, i):
+		x = self.corrupt[i]
+		return struct.pack("dd", x[0], x[1])
+
+	def __setitem__(self, i, x):
+		self.corrupt[i] = struct.unpack("dd", x)
+
+
 if __name__ == '__main__':
    unittest.main()

--- a/path.c
+++ b/path.c
@ -57,6 +57,10 @@ alloc_array(Py_ssize_t count)
        PyErr_NoMemory();
        return NULL;
    }
+    if (count > (SIZE_MAX / (2 * sizeof(double))) - 1 ) {
+        PyErr_NoMemory();
+        return NULL;
+    }
    xy = malloc(2 * count * sizeof(double) + 1);
    if (!xy)
        PyErr_NoMemory();