Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes for #2105 #2146

Merged
merged 9 commits into from Oct 3, 2016
Map.c overflow fixes
  • Loading branch information
wiredfool committed Oct 3, 2016
commit c50ebe6459a131a1ea8ca531f10da616d3ceaa0f
Binary file added Tests/images/l2rgb_read.bmp
Binary file not shown.
25 changes: 25 additions & 0 deletions Tests/test_map.py
@@ -0,0 +1,25 @@
from helper import PillowTestCase, unittest

from PIL import Image

class TestMap(PillowTestCase):
def test_overflow(self):
# There is the potential to overflow comparisons in map.c
# if there are > SIZE_MAX bytes in the image or if
# the file encodes an offset that makes
# (offset + size(bytes)) > SIZE_MAX

# Note that this image triggers the decompression bomb warning:
max_pixels = Image.MAX_IMAGE_PIXELS
Image.MAX_IMAGE_PIXELS = None

# This image hits the offset test.
im = Image.open('Tests/images/l2rgb_read.bmp')
with self.assertRaises((ValueError, MemoryError)):
im.load()

Image.MAX_IMAGE_PIXELS = max_pixels


if __name__ == '__main__':
unittest.main()
10 changes: 10 additions & 0 deletions map.c
Expand Up @@ -342,8 +342,18 @@ PyImaging_MapBuffer(PyObject* self, PyObject* args)
stride = xsize * 4;
}

if (ysize > INT_MAX / stride) {
PyErr_SetString(PyExc_MemoryError, "Integer overflow in ysize");
return NULL;
}

size = (Py_ssize_t) ysize * stride;

if (offset > SIZE_MAX - size) {
PyErr_SetString(PyExc_MemoryError, "Integer overflow in offset");
return NULL;
}

/* check buffer size */
if (PyImaging_GetBuffer(target, &view) < 0)
return NULL;
Expand Down