Merge pull request #4506 from hugovk/fix_pcx

Fix bounds overflow in PCX decoding
This commit is contained in:
Hugo van Kemenade 2020-04-01 12:26:17 +03:00 committed by GitHub
commit f260acc30a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 5 additions and 4 deletions

BIN
Tests/images/01r_00.pcx Normal file

Binary file not shown.

View File

@ -638,6 +638,9 @@ class TestImage:
assert test_module.PILLOW_VERSION > "7.0.0" assert test_module.PILLOW_VERSION > "7.0.0"
def test_overrun(self): def test_overrun(self):
""" For overrun completeness, test as:
valgrind pytest -qq Tests/test_image.py::TestImage::test_overrun | grep decode.c
"""
for file in [ for file in [
"fli_overrun.bin", "fli_overrun.bin",
"sgi_overrun.bin", "sgi_overrun.bin",
@ -645,6 +648,7 @@ class TestImage:
"sgi_overrun_expandrow2.bin", "sgi_overrun_expandrow2.bin",
"pcx_overrun.bin", "pcx_overrun.bin",
"pcx_overrun2.bin", "pcx_overrun2.bin",
"01r_00.pcx",
]: ]:
with Image.open(os.path.join("Tests/images", file)) as im: with Image.open(os.path.join("Tests/images", file)) as im:
try: try:

View File

@ -22,10 +22,7 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
UINT8 n; UINT8 n;
UINT8* ptr; UINT8* ptr;
if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) { if ((state->xsize * state->bits + 7) / 8 > state->bytes) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
} else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
state->errcode = IMAGING_CODEC_OVERRUN; state->errcode = IMAGING_CODEC_OVERRUN;
return -1; return -1;
} }