Sophie

Sophie

distrib > Mageia > 7 > x86_64 > by-pkgid > e495bfb0c3db167421e07edd8769eed1 > files > 11

python-pillow-5.4.1-1.3.mga7.src.rpm

From 8d4f3c0c5f2fecf175aeb895e9c2d6d06d85bdc9 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Thu, 5 Mar 2020 10:01:28 +0000
Subject: [PATCH 06/11] Fix OOB Read in FLI Copy Chunk

---
 src/libImaging/FliDecode.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
index ca9e00327f..98bc037681 100644
--- a/src/libImaging/FliDecode.c
+++ b/src/libImaging/FliDecode.c
@@ -86,7 +86,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 	    /* OOB ok, we've got 4 bytes min on entry */
 	    lines = I16(data); data += 2;
 	    for (l = y = 0; l < lines && y < state->ysize; l++, y++) {
-		UINT8* buf = (UINT8*) im->image[y];
+		UINT8* local_buf = (UINT8*) im->image[y];
 		int p, packets;
 		ERR_IF_DATA_OOB(2)
 		packets = I16(data); data += 2;
@@ -98,10 +98,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 			    state->errcode = IMAGING_CODEC_OVERRUN;
 			    return -1;
 			}
-			buf = (UINT8*) im->image[y];
+			local_buf = (UINT8*) im->image[y];
 		    } else {
 			/* store last byte (used if line width is odd) */
-			buf[state->xsize-1] = (UINT8) packets;
+			local_buf[state->xsize-1] = (UINT8) packets;
 		    }
 		    ERR_IF_DATA_OOB(2)
 		    packets = I16(data); data += 2;
@@ -115,8 +115,8 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 			if (x + i + i > state->xsize)
 			    break;
 			for (j = 0; j < i; j++) {
-			    buf[x++] = data[2];
-			    buf[x++] = data[3];
+			    local_buf[x++] = data[2];
+			    local_buf[x++] = data[3];
 			}
 			data += 2 + 2;
 		    } else {
@@ -124,7 +124,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 			if (x + i > state->xsize)
 			    break;
 			ERR_IF_DATA_OOB(2+i)
-			memcpy(buf + x, data + 2, i);
+			memcpy(local_buf + x, data + 2, i);
 			data += 2 + i;
 			x += i;
 		    }
@@ -213,9 +213,13 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 	    break;
 	case 16:
 	    /* COPY chunk */
+	    if (state->xsize > bytes/state->ysize) {
+		/* not enough data for frame */
+		return ptr - buf; /* bytes consumed */
+	    }
 	    for (y = 0; y < state->ysize; y++) {
-		UINT8* buf = (UINT8*) im->image[y];
-		memcpy(buf, data, state->xsize);
+		UINT8* local_buf = (UINT8*) im->image[y];
+		memcpy(local_buf, data, state->xsize);
 		data += state->xsize;
 	    }
 	    break;