Skip to content

Commit 205e056

Browse files
committed
Icns DOS fix -- CVE-2014-3589
Found and reported by Andrew Drake of dropbox.com
1 parent cc6610e commit 205e056

File tree

2 files changed

+12
-0
lines changed

2 files changed

+12
-0
lines changed

Diff for: PIL/IcnsImagePlugin.py

+2
Original file line numberDiff line numberDiff line change
@@ -179,6 +179,8 @@ def __init__(self, fobj):
179179
i = HEADERSIZE
180180
while i < filesize:
181181
sig, blocksize = nextheader(fobj)
182+
if blocksize <= 0:
183+
raise SyntaxError('invalid block header')
182184
i += HEADERSIZE
183185
blocksize -= HEADERSIZE
184186
dct[sig] = (i, blocksize)

Diff for: Tests/check_icns_dos.py

+10
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# Tests potential DOS of IcnsImagePlugin with 0 length block.
2+
# Run from anywhere that PIL is importable.
3+
4+
from PIL import Image
5+
from io import BytesIO
6+
7+
if bytes is str:
8+
Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00')))
9+
else:
10+
Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00', 'latin-1')))

0 commit comments

Comments
 (0)