python-pillow/CVE-2020-5311.patch

From be44f0d9923485f3ed3a7a9fd479cf8cf69d814a Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Wed, 1 Jan 2020 14:16:45 +1100
Subject: [PATCH] Catch SGI buffer overruns

---
 Tests/test_image.py                     |   2 ++
 src/libImaging/SgiRleDecode.c           |  23 +++++++++++++++++------
 4 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index 70b0ec5..e9b2c0b 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -25,7 +25,7 @@ static void read4B(UINT32* dest, UINT8* buf)
     *dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
 }
 
-static int expandrow(UINT8* dest, UINT8* src, int n, int z)
+static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
 {
     UINT8 pixel, count;
 
@@ -37,6 +37,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
         count = pixel & RLE_MAX_RUN;
         if (!count)
             return count;
+        if (count > xsize){
+            return -1;
+        }
         if (pixel & RLE_COPY_FLAG) {
             while(count--) {
                 *dest = *src++;
@@ -56,7 +59,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
     return 0;
 }
 
-static int expandrow2(UINT8* dest, const UINT8* src, int n, int z)
+static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
 {
     UINT8 pixel, count;
 
@@ -70,6 +73,9 @@ static int expandrow2(UINT8* dest, const UINT8* src, int n, int z)
         count = pixel & RLE_MAX_RUN;
         if (!count)
             return count;
+        if (count > xsize){
+            return -1;
+        }
         if (pixel & RLE_COPY_FLAG) {
             while(count--) {
                 memcpy(dest, src, 2);
@@ -96,6 +102,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
     UINT8 *ptr;
     SGISTATE *c;
     int err = 0;
+    int status;
 
     /* Get all data from File descriptor */
     c = (SGISTATE*)state->context;
@@ -164,13 +171,17 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
 
             /* row decompression */
             if (c->bpc ==1) {
-                if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
-                    goto sgi_finish_decode;
+                status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
             }
             else {
-                if(expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands))
-                    goto sgi_finish_decode;
+                    status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
             }
+            if (status == -1) {
+                 state->errcode = IMAGING_CODEC_OVERRUN;
+                 return -1;
+             } else if (status == 1) {
+                 goto sgi_finish_decode;
+             }
 
             state->count += c->rlelength;
         }