39 lines
1.3 KiB
Diff
39 lines
1.3 KiB
Diff
From a09acd0decd8a87ccce939d5ff65dab59e7d365b Mon Sep 17 00:00:00 2001
|
|
From: Andrew Murray <radarhere@users.noreply.github.com>
|
|
Date: Wed, 1 Jan 2020 14:14:47 +1100
|
|
Subject: [PATCH] Catch FLI buffer overrun
|
|
|
|
https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b
|
|
---
|
|
src/libImaging/FliDecode.c | 7 +++++--
|
|
1 files changed, 5 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
|
|
index 2d63bea..06fa307 100644
|
|
--- a/src/libImaging/FliDecode.c
|
|
+++ b/src/libImaging/FliDecode.c
|
|
@@ -45,8 +45,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
return 0;
|
|
|
|
/* We don't decode anything unless we have a full chunk in the
|
|
- input buffer (on the other hand, the Python part of the driver
|
|
- makes sure this is always the case) */
|
|
+ input buffer */
|
|
|
|
ptr = buf;
|
|
|
|
@@ -57,6 +56,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
/* Make sure this is a frame chunk. The Python driver takes
|
|
case of other chunk types. */
|
|
|
|
+ if (bytes < 8) {
|
|
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
|
+ return -1;
|
|
+ }
|
|
if (I16(ptr+4) != 0xF1FA) {
|
|
state->errcode = IMAGING_CODEC_UNKNOWN;
|
|
return -1;
|
|
--
|
|
2.27.0
|
|
|