Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes for #2105 #2146

Merged
merged 9 commits into from Oct 3, 2016

Map.c overflow fixes

  • Loading branch information...
wiredfool committed Sep 29, 2016
commit c50ebe6459a131a1ea8ca531f10da616d3ceaa0f
Binary file not shown.
@@ -0,0 +1,25 @@
from helper import PillowTestCase, unittest

from PIL import Image

class TestMap(PillowTestCase):
def test_overflow(self):
# There is the potential to overflow comparisons in map.c
# if there are > SIZE_MAX bytes in the image or if
# the file encodes an offset that makes
# (offset + size(bytes)) > SIZE_MAX

# Note that this image triggers the decompression bomb warning:
max_pixels = Image.MAX_IMAGE_PIXELS
Image.MAX_IMAGE_PIXELS = None

# This image hits the offset test.
im = Image.open('Tests/images/l2rgb_read.bmp')
with self.assertRaises((ValueError, MemoryError)):
im.load()

Image.MAX_IMAGE_PIXELS = max_pixels


if __name__ == '__main__':
unittest.main()
10 map.c
@@ -342,8 +342,18 @@ PyImaging_MapBuffer(PyObject* self, PyObject* args)
stride = xsize * 4;
}

if (ysize > INT_MAX / stride) {
PyErr_SetString(PyExc_MemoryError, "Integer overflow in ysize");
return NULL;
}

size = (Py_ssize_t) ysize * stride;

if (offset > SIZE_MAX - size) {
PyErr_SetString(PyExc_MemoryError, "Integer overflow in offset");
return NULL;
}

/* check buffer size */
if (PyImaging_GetBuffer(target, &view) < 0)
return NULL;
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.