Sophie

Sophie

distrib > Mageia > 7 > i586 > by-pkgid > e495bfb0c3db167421e07edd8769eed1 > files > 21

python-pillow-5.4.1-1.3.mga7.src.rpm

diff -rupN --no-dereference Pillow-5.4.1/src/libImaging/FliDecode.c Pillow-5.4.1-new/src/libImaging/FliDecode.c
--- Pillow-5.4.1/src/libImaging/FliDecode.c	2019-01-06 13:12:16.000000000 +0100
+++ Pillow-5.4.1-new/src/libImaging/FliDecode.c	2020-02-13 14:44:21.443016134 +0100
@@ -30,7 +30,7 @@ ImagingFliDecode(Imaging im, ImagingCode
 {
     UINT8* ptr;
     int framesize;
-    int c, chunks;
+    int c, chunks, advance;
     int l, lines;
     int i, j, x = 0, y, ymax;
 
@@ -59,10 +59,16 @@ ImagingFliDecode(Imaging im, ImagingCode
 
     chunks = I16(ptr+6);
     ptr += 16;
+    bytes -= 16;
 
     /* Process subchunks */
     for (c = 0; c < chunks; c++) {
-	UINT8 *data = ptr + 6;
+	UINT8* data;
+	if (bytes < 10) {
+	    state->errcode = IMAGING_CODEC_OVERRUN;
+	    return -1;
+	}
+	data = ptr + 6;
 	switch (I16(ptr+4)) {
 	case 4: case 11:
 	    /* FLI COLOR chunk */
@@ -198,7 +204,9 @@ ImagingFliDecode(Imaging im, ImagingCode
 	    state->errcode = IMAGING_CODEC_UNKNOWN;
 	    return -1;
 	}
-	ptr += I32(ptr);
+	advance = I32(ptr);
+	ptr += advance;
+	bytes -= advance;
     }
 
     return -1; /* end of frame */
diff -rupN --no-dereference Pillow-5.4.1/src/libImaging/PcxDecode.c Pillow-5.4.1-new/src/libImaging/PcxDecode.c
--- Pillow-5.4.1/src/libImaging/PcxDecode.c	2019-01-06 13:12:16.000000000 +0100
+++ Pillow-5.4.1-new/src/libImaging/PcxDecode.c	2020-02-13 14:44:21.443016134 +0100
@@ -22,6 +22,11 @@ ImagingPcxDecode(Imaging im, ImagingCode
     UINT8 n;
     UINT8* ptr;
 
+    if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
+        state->errcode = IMAGING_CODEC_OVERRUN;
+        return -1;
+    }
+
     ptr = buf;
 
     for (;;) {
diff -rupN --no-dereference Pillow-5.4.1/src/libImaging/SgiRleDecode.c Pillow-5.4.1-new/src/libImaging/SgiRleDecode.c
--- Pillow-5.4.1/src/libImaging/SgiRleDecode.c	2019-01-06 13:12:16.000000000 +0100
+++ Pillow-5.4.1-new/src/libImaging/SgiRleDecode.c	2020-02-13 14:44:21.443016134 +0100
@@ -156,6 +156,11 @@ ImagingSgiRleDecode(Imaging im, ImagingC
             c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];
             c->rleoffset -= SGI_HEADER_SIZE;
 
+            if (c->rleoffset + c->rlelength > c->bufsize) {
+                state->errcode = IMAGING_CODEC_OVERRUN;
+                return -1;
+            }
+
             /* row decompression */
             if (c->bpc ==1) {
                 if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))