From b4e439d6d7fd986cd6b4c7f9ca18830d79dacd44 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Thu, 5 Mar 2020 09:11:50 +0000
Subject: [PATCH 03/11] Fix OOB Reads in SS2 Chunk

---
 src/libImaging/FliDecode.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
index d53b4a7fd1..c404361557 100644
--- a/src/libImaging/FliDecode.c
+++ b/src/libImaging/FliDecode.c
@@ -83,10 +83,12 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 	    break; /* ignored; handled by Python code */
 	case 7:
 	    /* FLI SS2 chunk (word delta) */
+	    /* OOB ok, we've got 10 bytes min on entry */
 	    lines = I16(data); data += 2;
 	    for (l = y = 0; l < lines && y < state->ysize; l++, y++) {
 		UINT8* buf = (UINT8*) im->image[y];
 		int p, packets;
+		ERR_IF_DATA_OOB(2)
 		packets = I16(data); data += 2;
 		while (packets & 0x8000) {
 		    /* flag word */
@@ -101,11 +103,14 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 			/* store last byte (used if line width is odd) */
 			buf[state->xsize-1] = (UINT8) packets;
 		    }
+		    ERR_IF_DATA_OOB(2)
 		    packets = I16(data); data += 2;
 		}
 		for (p = x = 0; p < packets; p++) {
+		    ERR_IF_DATA_OOB(2)
 		    x += data[0]; /* pixel skip */
 		    if (data[1] >= 128) {
+			ERR_IF_DATA_OOB(4)
 			i = 256-data[1]; /* run */
 			if (x + i + i > state->xsize)
 			    break;
@@ -118,6 +123,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 			i = 2 * (int) data[1]; /* chunk */
 			if (x + i > state->xsize)
 			    break;
+			ERR_IF_DATA_OOB(2+i)
 			memcpy(buf + x, data + 2, i);
 			data += 2 + i;
 			x += i;