Skip to content

Fixes for #2105 #2146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Oct 3, 2016
Prev Previous commit
Next Next commit
Map.c overflow fixes
  • Loading branch information
wiredfool committed Oct 3, 2016
commit c50ebe6459a131a1ea8ca531f10da616d3ceaa0f
Binary file added Tests/images/l2rgb_read.bmp
Binary file not shown.
25 changes: 25 additions & 0 deletions Tests/test_map.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
from helper import PillowTestCase, unittest

from PIL import Image

class TestMap(PillowTestCase):
def test_overflow(self):
# There is the potential to overflow comparisons in map.c
# if there are > SIZE_MAX bytes in the image or if
# the file encodes an offset that makes
# (offset + size(bytes)) > SIZE_MAX

# Note that this image triggers the decompression bomb warning:
max_pixels = Image.MAX_IMAGE_PIXELS
Image.MAX_IMAGE_PIXELS = None

# This image hits the offset test.
im = Image.open('Tests/images/l2rgb_read.bmp')
with self.assertRaises((ValueError, MemoryError)):
im.load()

Image.MAX_IMAGE_PIXELS = max_pixels


if __name__ == '__main__':
unittest.main()
10 changes: 10 additions & 0 deletions map.c
Original file line number Diff line number Diff line change
Expand Up @@ -342,8 +342,18 @@ PyImaging_MapBuffer(PyObject* self, PyObject* args)
stride = xsize * 4;
}

if (ysize > INT_MAX / stride) {
PyErr_SetString(PyExc_MemoryError, "Integer overflow in ysize");
return NULL;
}

size = (Py_ssize_t) ysize * stride;

if (offset > SIZE_MAX - size) {
PyErr_SetString(PyExc_MemoryError, "Integer overflow in offset");
return NULL;
}

/* check buffer size */
if (PyImaging_GetBuffer(target, &view) < 0)
return NULL;
Expand Down