From c66d8aa75436f334f686fe32bca8e414bcdd18e6 Mon Sep 17 00:00:00 2001 From: Eric Soroos <eric-github@soroos.net> Date: Mon, 2 Mar 2020 22:57:23 +0000 Subject: [PATCH 01/11] Fli issue 1 --- src/libImaging/FliDecode.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c index 6f48c07d41..484f1ce686 100644 --- a/src/libImaging/FliDecode.c +++ b/src/libImaging/FliDecode.c @@ -165,14 +165,26 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt break; case 15: /* FLI BRUN chunk */ + /* data = ptr + 6 */ for (y = 0; y < state->ysize; y++) { UINT8* out = (UINT8*) im->image[y]; data += 1; /* ignore packetcount byte */ for (x = 0; x < state->xsize; x += i) { + if (data + 2 > ptr + bytes ) { + /* Out of Bounds Read issue, guaranteed to try to read 2 from data */ + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; + } if (data[0] & 0x80) { i = 256 - data[0]; - if (x + i > state->xsize) + if (x + i > state->xsize) { break; /* safety first */ + } + if (data + i + 1 > ptr + bytes ) { + /* Out of Bounds Read issue */ + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; + } memcpy(out + x, data + 1, i); data += i + 1; } else {