Catch PCX P mode buffer overrun

python-pillow · Jan 2, 2020 · 93b22b8 · 93b22b8 · NicoleG25 · Jan 5, 2020
1 parent a09acd0
commit 93b22b8
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/Tests/images/pcx_overrun2.bin b/Tests/images/pcx_overrun2.bin
diff --git a/Tests/test_image.py b/Tests/test_image.py
@@ -590,7 +590,12 @@ def act(fp):
             self.assertFalse(fp.closed)
 
     def test_overrun(self):
-        for file in ["fli_overrun.bin", "sgi_overrun.bin", "pcx_overrun.bin"]:
+        for file in [
+            "fli_overrun.bin",
+            "sgi_overrun.bin",
+            "pcx_overrun.bin",
+            "pcx_overrun2.bin",
+        ]:
             im = Image.open(os.path.join("Tests/images", file))
             try:
                 im.load()

diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
@@ -25,6 +25,9 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
     if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
         state->errcode = IMAGING_CODEC_OVERRUN;
         return -1;
+    } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
+        state->errcode = IMAGING_CODEC_OVERRUN;
+        return -1;
     }
 
     ptr = buf;