Icns DOS fix -- CVE-2014-3589

Found and reported by Andrew Drake of dropbox.com
2024-11-13 05:06:49 +03:00 · 2014-08-06 16:42:43 -07:00 · 2014-08-06 16:42:43 -07:00 · d47611e6fb
commit d47611e6fb
parent fa7817a4d3
2 changed files with 12 additions and 0 deletions
--- a/PIL/IcnsImagePlugin.py
+++ b/PIL/IcnsImagePlugin.py
@ -179,6 +179,8 @@ class IcnsFile:
        i = HEADERSIZE
        while i < filesize:
            sig, blocksize = nextheader(fobj)
+            if blocksize <= 0:
+                raise SyntaxError('invalid block header')
            i += HEADERSIZE
            blocksize -= HEADERSIZE
            dct[sig] = (i, blocksize)
--- a/Tests/check_icns_dos.py
+++ b/Tests/check_icns_dos.py
@ -0,0 +1,10 @@
+# Tests potential DOS of IcnsImagePlugin with 0 length block.
+# Run from anywhere that PIL is importable. 
+
+from PIL import Image
+from io import BytesIO
+
+if bytes is str:
+    Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00')))
+else:
+    Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00', 'latin-1')))