From c5edc361fd6450f805a6a444723b0f68190b1d0c Mon Sep 17 00:00:00 2001 From: Eric Soroos <eric-github@soroos.net> Date: Thu, 5 Mar 2020 09:51:32 +0000 Subject: [PATCH 05/11] Fix OOB Advance Values --- src/libImaging/FliDecode.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c index 2316fa814d..ca9e00327f 100644 --- a/src/libImaging/FliDecode.c +++ b/src/libImaging/FliDecode.c @@ -83,7 +83,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt break; /* ignored; handled by Python code */ case 7: /* FLI SS2 chunk (word delta) */ - /* OOB ok, we've got 10 bytes min on entry */ + /* OOB ok, we've got 4 bytes min on entry */ lines = I16(data); data += 2; for (l = y = 0; l < lines && y < state->ysize; l++, y++) { UINT8* buf = (UINT8*) im->image[y]; @@ -229,6 +229,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt return -1; } advance = I32(ptr); + if (advance < 0 || advance > bytes) { + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; + } ptr += advance; bytes -= advance; }