Sophie

Sophie

distrib > Mageia > 7 > x86_64 > by-pkgid > e495bfb0c3db167421e07edd8769eed1 > files > 9

python-pillow-5.4.1-1.3.mga7.src.rpm

From c88b0204d7c930e3bd72626ae6ea078571cc0ea7 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Thu, 5 Mar 2020 09:21:35 +0000
Subject: [PATCH 04/11] Fix OOB in LC packet

---
 src/libImaging/FliDecode.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
index c404361557..2316fa814d 100644
--- a/src/libImaging/FliDecode.c
+++ b/src/libImaging/FliDecode.c
@@ -140,22 +140,26 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 	    break;
 	case 12:
 	    /* FLI LC chunk (byte delta) */
+	    /* OOB Check ok, we have 10 bytes here */
 	    y = I16(data); ymax = y + I16(data+2); data += 4;
 	    for (; y < ymax && y < state->ysize; y++) {
 		UINT8* out = (UINT8*) im->image[y];
 		int p, packets = *data++;
 		for (p = x = 0; p < packets; p++, x += i) {
+		    ERR_IF_DATA_OOB(2)
 		    x += data[0]; /* skip pixels */
 		    if (data[1] & 0x80) {
 			i = 256-data[1]; /* run */
 			if (x + i > state->xsize)
 			    break;
+			ERR_IF_DATA_OOB(3)
 			memset(out + x, data[2], i);
 			data += 3;
 		    } else {
 			i = data[1]; /* chunk */
 			if (x + i > state->xsize)
 			    break;
+			ERR_IF_DATA_OOB(2+i)
 			memcpy(out + x, data + 2, i);
 			data += i + 2;
 		    }