From 480f6819b592d7f07b9a9a52a7656c10bbe07442 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Wed, 24 Feb 2021 23:27:07 +0100
Subject: [PATCH] Fix Memory DOS in Icns, Ico and Blp Image Plugins

Some container plugins that could contain images of other formats,
such as the ICNS format, did not properly check the reported size of
the contained image. These images could cause arbitrariliy large
memory allocations.

This is fixed for all locations where individual *ImageFile classes
are created without going through the usual Image.open method.

Conflict:NA
Reference:https://github.com/python-pillow/Pillow/commit/480f6819b592d7f07b9a9a52a7656c10bbe07442
---
 src/PIL/BlpImagePlugin.py  | 1 +
 src/PIL/IcnsImagePlugin.py | 2 ++
 src/PIL/IcoImagePlugin.py  | 1 +
 3 files changed, 4 insertions(+)

diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
index d5d7c0e..88aae80 100644
--- a/src/PIL/BlpImagePlugin.py
+++ b/src/PIL/BlpImagePlugin.py
@@ -353,6 +353,7 @@ class BLP1Decoder(_BLPBaseDecoder):
         data = jpeg_header + data
         data = BytesIO(data)
         image = JpegImageFile(data)
+        Image._decompression_bomb_check(image.size)
         self.tile = image.tile  # :/
         self.fd = image.fp
         self.mode = image.mode
diff --git a/src/PIL/IcnsImagePlugin.py b/src/PIL/IcnsImagePlugin.py
index 2a63d75..ca6a0ad 100644
--- a/src/PIL/IcnsImagePlugin.py
+++ b/src/PIL/IcnsImagePlugin.py
@@ -105,6 +105,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
     if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a":
         fobj.seek(start)
         im = PngImagePlugin.PngImageFile(fobj)
+        Image._decompression_bomb_check(im.size)
         return {"RGBA": im}
     elif (
         sig[:4] == b"\xff\x4f\xff\x51"
@@ -121,6 +122,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
         jp2kstream = fobj.read(length)
         f = io.BytesIO(jp2kstream)
         im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
+        Image._decompression_bomb_check(im.size)
         if im.mode != "RGBA":
             im = im.convert("RGBA")
         return {"RGBA": im}
diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
index e1bfa7a..5634bf8 100644
--- a/src/PIL/IcoImagePlugin.py
+++ b/src/PIL/IcoImagePlugin.py
@@ -178,6 +178,7 @@ class IcoFile:
         if data[:8] == PngImagePlugin._MAGIC:
             # png frame
             im = PngImagePlugin.PngImageFile(self.buf)
+            Image._decompression_bomb_check(im.size)
         else:
             # XOR + AND mask bmp frame
             im = BmpImagePlugin.DibImageFile(self.buf)
-- 
2.27.0