Sophie

Sophie

distrib > Mageia > 7 > armv7hl > by-pkgid > e495bfb0c3db167421e07edd8769eed1 > files > 6

python-pillow-5.4.1-1.3.mga7.src.rpm

From c66d8aa75436f334f686fe32bca8e414bcdd18e6 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Mon, 2 Mar 2020 22:57:23 +0000
Subject: [PATCH 01/11] Fli issue 1

---
 src/libImaging/FliDecode.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
index 6f48c07d41..484f1ce686 100644
--- a/src/libImaging/FliDecode.c
+++ b/src/libImaging/FliDecode.c
@@ -165,14 +165,26 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 	    break;
 	case 15:
 	    /* FLI BRUN chunk */
+	    /* data = ptr + 6 */
 	    for (y = 0; y < state->ysize; y++) {
 		UINT8* out = (UINT8*) im->image[y];
 		data += 1; /* ignore packetcount byte */
 		for (x = 0; x < state->xsize; x += i) {
+		    if (data + 2 > ptr + bytes ) {
+			/* Out of Bounds Read issue, guaranteed to try to read 2 from data */
+			state->errcode = IMAGING_CODEC_OVERRUN;
+			return -1;
+		    }
 		    if (data[0] & 0x80) {
 			i = 256 - data[0];
-			if (x + i > state->xsize)
+			if (x + i > state->xsize) {
 			    break; /* safety first */
+			}
+			if (data + i + 1 > ptr + bytes ) {
+			    /* Out of Bounds Read issue */
+			    state->errcode = IMAGING_CODEC_OVERRUN;
+			    return -1;
+			}
 			memcpy(out + x, data + 1, i);
 			data += i + 1;
 		    } else {

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional