Incorrect error code checking in TiffDecode.c

* since Pillow 8.1.0 * CVE-2021-25289
python-pillow · Mar 1, 2021 · cbfdde7 · cbfdde7
1 parent 2ba5eb1
commit cbfdde7
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 1 deletion.
diff --git a/Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif b/Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif
diff --git a/Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif b/Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif
diff --git a/Tests/test_tiff_crashes.py b/Tests/test_tiff_crashes.py
@@ -24,6 +24,8 @@
         "Tests/images/crash_1.tif",
         "Tests/images/crash_2.tif",
         "Tests/images/crash-2020-10-test.tif",
+        "Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif",
+        "Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif",
     ],
 )
 @pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")

diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
@@ -250,7 +250,7 @@ int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) {
         img.row_offset = state->y; 
         rows_to_read = min(rows_per_strip, img.height - state->y);
 
-        if (TIFFRGBAImageGet(&img, (UINT32 *)state->buffer, img.width, rows_to_read) == -1) {
+        if (!TIFFRGBAImageGet(&img, (UINT32 *)state->buffer, img.width, rows_to_read)) {
             TRACE(("Decode Error, y: %d\n", state->y ));
             state->errcode = IMAGING_CODEC_BROKEN;
             goto decodeycbcr_err;