Sophie: python-pillow-5.4.1-1.3.mga7 src

python-pillow-5.4.1-1.3.mga7.src.rpm

From c5edc361fd6450f805a6a444723b0f68190b1d0c Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Thu, 5 Mar 2020 09:51:32 +0000
Subject: [PATCH 05/11] Fix OOB Advance Values

---
 src/libImaging/FliDecode.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
index 2316fa814d..ca9e00327f 100644
--- a/src/libImaging/FliDecode.c
+++ b/src/libImaging/FliDecode.c
@@ -83,7 +83,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 	    break; /* ignored; handled by Python code */
 	case 7:
 	    /* FLI SS2 chunk (word delta) */
-	    /* OOB ok, we've got 10 bytes min on entry */
+	    /* OOB ok, we've got 4 bytes min on entry */
 	    lines = I16(data); data += 2;
 	    for (l = y = 0; l < lines && y < state->ysize; l++, y++) {
 		UINT8* buf = (UINT8*) im->image[y];
@@ -229,6 +229,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 	    return -1;
 	}
 	advance = I32(ptr);
+	if (advance < 0 || advance > bytes) {
+	    state->errcode = IMAGING_CODEC_OVERRUN;
+	    return -1;
+	}
 	ptr += advance;
 	bytes -= advance;
     }