From a79b65c47c7dc6fe623aadf09aa6192fc54548f3 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Wed, 1 Jan 2020 14:16:45 +1100 Subject: [PATCH] Catch SGI buffer overruns --- Tests/images/sgi_overrun_expandrow.bin | Bin 0 -> 545 bytes Tests/images/sgi_overrun_expandrow2.bin | Bin 0 -> 545 bytes Tests/test_image.py | 2 ++ src/libImaging/SgiRleDecode.c | 23 +++++++++++++++++------ 4 files changed, 19 insertions(+), 6 deletions(-) create mode 100644 Tests/images/sgi_overrun_expandrow.bin create mode 100644 Tests/images/sgi_overrun_expandrow2.bin diff --git a/Tests/images/sgi_overrun_expandrow.bin b/Tests/images/sgi_overrun_expandrow.bin new file mode 100644 index 0000000000000000000000000000000000000000..316d618818e5071a99cb003c9874ae734213319f GIT binary patch literal 545 zcmZR)#mLCO%)khQ%nT6lA4-o>BO(NtBp4W&q=8rt=v`160At2v2F73}#yAE51B3%! literal 0 HcmV?d00001 diff --git a/Tests/images/sgi_overrun_expandrow2.bin b/Tests/images/sgi_overrun_expandrow2.bin new file mode 100644 index 0000000000000000000000000000000000000000..f70e03a3960596bf060531ba74a9084a148949cd GIT binary patch literal 545 zcmZR)#mL0K%)khQ%nT6lA4-o>BO(NtBp4W&q=8rt=v`160At2v2F73}#yAE51)>9A literal 0 HcmV?d00001 diff --git a/Tests/test_image.py b/Tests/test_image.py index 33657d56cf0..2982d16d70c 100644 --- a/Tests/test_image.py +++ b/Tests/test_image.py @@ -593,6 +593,8 @@ def test_overrun(self): for file in [ "fli_overrun.bin", "sgi_overrun.bin", + "sgi_overrun_expandrow.bin", + "sgi_overrun_expandrow2.bin", "pcx_overrun.bin", "pcx_overrun2.bin", ]: diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c index 8a81ba8e6c0..1ba56b8c7b7 100644 --- a/src/libImaging/SgiRleDecode.c +++ b/src/libImaging/SgiRleDecode.c @@ -25,7 +25,7 @@ static void read4B(UINT32* dest, UINT8* buf) *dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]); } -static int expandrow(UINT8* dest, UINT8* src, int n, int z) +static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize) { UINT8 pixel, count; @@ -37,6 +37,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z) count = pixel & RLE_MAX_RUN; if (!count) return count; + if (count > xsize) { + return -1; + } if (pixel & RLE_COPY_FLAG) { while(count--) { *dest = *src++; @@ -56,7 +59,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z) return 0; } -static int expandrow2(UINT8* dest, const UINT8* src, int n, int z) +static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize) { UINT8 pixel, count; @@ -70,6 +73,9 @@ static int expandrow2(UINT8* dest, const UINT8* src, int n, int z) count = pixel & RLE_MAX_RUN; if (!count) return count; + if (count > xsize) { + return -1; + } if (pixel & RLE_COPY_FLAG) { while(count--) { memcpy(dest, src, 2); @@ -96,6 +102,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, UINT8 *ptr; SGISTATE *c; int err = 0; + int status; /* Get all data from File descriptor */ c = (SGISTATE*)state->context; @@ -164,12 +171,16 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, /* row decompression */ if (c->bpc ==1) { - if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands)) - goto sgi_finish_decode; + status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize); } else { - if(expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands)) - goto sgi_finish_decode; + status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize); + } + if (status == -1) { + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; + } else if (status == 1) { + goto sgi_finish_decode; } state->count += c->rlelength;