Skip to content

Commit

Permalink
Catch PCX P mode buffer overrun
Browse files Browse the repository at this point in the history
  • Loading branch information
radarhere committed Jan 2, 2020
1 parent a09acd0 commit 93b22b8
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 1 deletion.
Binary file added Tests/images/pcx_overrun2.bin
Binary file not shown.
7 changes: 6 additions & 1 deletion Tests/test_image.py
Original file line number Diff line number Diff line change
Expand Up @@ -590,7 +590,12 @@ def act(fp):
self.assertFalse(fp.closed)

def test_overrun(self):
for file in ["fli_overrun.bin", "sgi_overrun.bin", "pcx_overrun.bin"]:
for file in [
"fli_overrun.bin",
"sgi_overrun.bin",
"pcx_overrun.bin",
"pcx_overrun2.bin",
]:
im = Image.open(os.path.join("Tests/images", file))
try:
im.load()
Expand Down
3 changes: 3 additions & 0 deletions src/libImaging/PcxDecode.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
} else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
}

ptr = buf;
Expand Down

1 comment on commit 93b22b8

@NicoleG25
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that it appears that CVE-2020-5312 was assigned to this issue.

Please sign in to comment.