69 lines
2.6 KiB
Diff
69 lines
2.6 KiB
Diff
From 480f6819b592d7f07b9a9a52a7656c10bbe07442 Mon Sep 17 00:00:00 2001
|
|
From: Eric Soroos <eric-github@soroos.net>
|
|
Date: Wed, 24 Feb 2021 23:27:07 +0100
|
|
Subject: [PATCH] Fix Memory DOS in Icns, Ico and Blp Image Plugins
|
|
|
|
Some container plugins that could contain images of other formats,
|
|
such as the ICNS format, did not properly check the reported size of
|
|
the contained image. These images could cause arbitrariliy large
|
|
memory allocations.
|
|
|
|
This is fixed for all locations where individual *ImageFile classes
|
|
are created without going through the usual Image.open method.
|
|
|
|
Conflict:NA
|
|
Reference:https://github.com/python-pillow/Pillow/commit/480f6819b592d7f07b9a9a52a7656c10bbe07442
|
|
---
|
|
src/PIL/BlpImagePlugin.py | 1 +
|
|
src/PIL/IcnsImagePlugin.py | 2 ++
|
|
src/PIL/IcoImagePlugin.py | 1 +
|
|
3 files changed, 4 insertions(+)
|
|
|
|
diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
|
|
index d5d7c0e..88aae80 100644
|
|
--- a/src/PIL/BlpImagePlugin.py
|
|
+++ b/src/PIL/BlpImagePlugin.py
|
|
@@ -353,6 +353,7 @@ class BLP1Decoder(_BLPBaseDecoder):
|
|
data = jpeg_header + data
|
|
data = BytesIO(data)
|
|
image = JpegImageFile(data)
|
|
+ Image._decompression_bomb_check(image.size)
|
|
self.tile = image.tile # :/
|
|
self.fd = image.fp
|
|
self.mode = image.mode
|
|
diff --git a/src/PIL/IcnsImagePlugin.py b/src/PIL/IcnsImagePlugin.py
|
|
index 2a63d75..ca6a0ad 100644
|
|
--- a/src/PIL/IcnsImagePlugin.py
|
|
+++ b/src/PIL/IcnsImagePlugin.py
|
|
@@ -105,6 +105,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
|
|
if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a":
|
|
fobj.seek(start)
|
|
im = PngImagePlugin.PngImageFile(fobj)
|
|
+ Image._decompression_bomb_check(im.size)
|
|
return {"RGBA": im}
|
|
elif (
|
|
sig[:4] == b"\xff\x4f\xff\x51"
|
|
@@ -121,6 +122,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
|
|
jp2kstream = fobj.read(length)
|
|
f = io.BytesIO(jp2kstream)
|
|
im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
|
|
+ Image._decompression_bomb_check(im.size)
|
|
if im.mode != "RGBA":
|
|
im = im.convert("RGBA")
|
|
return {"RGBA": im}
|
|
diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
|
|
index e1bfa7a..5634bf8 100644
|
|
--- a/src/PIL/IcoImagePlugin.py
|
|
+++ b/src/PIL/IcoImagePlugin.py
|
|
@@ -178,6 +178,7 @@ class IcoFile:
|
|
if data[:8] == PngImagePlugin._MAGIC:
|
|
# png frame
|
|
im = PngImagePlugin.PngImageFile(self.buf)
|
|
+ Image._decompression_bomb_check(im.size)
|
|
else:
|
|
# XOR + AND mask bmp frame
|
|
im = BmpImagePlugin.DibImageFile(self.buf)
|
|
--
|
|
2.27.0
|
|
|