From c88b0204d7c930e3bd72626ae6ea078571cc0ea7 Mon Sep 17 00:00:00 2001 From: Eric Soroos Date: Thu, 5 Mar 2020 09:21:35 +0000 Subject: [PATCH] Fix OOB in LC packet --- src/libImaging/FliDecode.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c index c40436155..2316fa814 100644 --- a/src/libImaging/FliDecode.c +++ b/src/libImaging/FliDecode.c @@ -140,22 +140,26 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt break; case 12: /* FLI LC chunk (byte delta) */ + /* OOB Check ok, we have 10 bytes here */ y = I16(data); ymax = y + I16(data+2); data += 4; for (; y < ymax && y < state->ysize; y++) { UINT8* out = (UINT8*) im->image[y]; int p, packets = *data++; for (p = x = 0; p < packets; p++, x += i) { + ERR_IF_DATA_OOB(2) x += data[0]; /* skip pixels */ if (data[1] & 0x80) { i = 256-data[1]; /* run */ if (x + i > state->xsize) break; + ERR_IF_DATA_OOB(3) memset(out + x, data[2], i); data += 3; } else { i = data[1]; /* chunk */ if (x + i > state->xsize) break; + ERR_IF_DATA_OOB(2+i) memcpy(out + x, data + 2, i); data += i + 2; }