Skip to content

Commit a09acd0

Browse files
committed
Catch FLI buffer overrun
1 parent 774e53b commit a09acd0

File tree

3 files changed

+12
-2
lines changed

3 files changed

+12
-2
lines changed

Diff for: Tests/images/fli_overrun2.bin

188 Bytes
Binary file not shown.

Diff for: Tests/test_image.py

+7
Original file line numberDiff line numberDiff line change
@@ -598,6 +598,13 @@ def test_overrun(self):
598598
except IOError as e:
599599
self.assertEqual(str(e), "buffer overrun when reading image file")
600600

601+
with Image.open("Tests/images/fli_overrun2.bin") as im:
602+
try:
603+
im.seek(1)
604+
self.assertFail()
605+
except IOError as e:
606+
self.assertEqual(str(e), "buffer overrun when reading image file")
607+
601608

602609
class MockEncoder(object):
603610
pass

Diff for: src/libImaging/FliDecode.c

+5-2
Original file line numberDiff line numberDiff line change
@@ -40,8 +40,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
4040
return 0;
4141

4242
/* We don't decode anything unless we have a full chunk in the
43-
input buffer (on the other hand, the Python part of the driver
44-
makes sure this is always the case) */
43+
input buffer */
4544

4645
ptr = buf;
4746

@@ -52,6 +51,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
5251
/* Make sure this is a frame chunk. The Python driver takes
5352
case of other chunk types. */
5453

54+
if (bytes < 8) {
55+
state->errcode = IMAGING_CODEC_OVERRUN;
56+
return -1;
57+
}
5558
if (I16(ptr+4) != 0xF1FA) {
5659
state->errcode = IMAGING_CODEC_UNKNOWN;
5760
return -1;

0 commit comments

Comments
 (0)