Merge pull request python-pillow#2 from ActiveState/jeremyp/cve-2020-…

…11538 CVE-2020-11538: fix SGI-RLE buffer overflow
GerHobbelt · Oct 12, 2021 · d22b387 · d22b387
2 parents 18200ae + eb81417
commit d22b387
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 3 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -2,6 +2,14 @@
 Changelog (Pillow)
 ==================
 
+6.2.2.1 (2021-10-08)
+------------------
+
+- This is the first Pillow release to support Python 2.7 from ActiveState
+
+- Catch SGI out-of-bounds reads. CVE 2020-11538
+  [ucodery]
+
 6.2.2 (2020-01-02)
 ------------------
 

diff --git a/Tests/images/sgi_crash.bin b/Tests/images/sgi_crash.bin
diff --git a/Tests/images/sgi_overrun_expandrowF04.bin b/Tests/images/sgi_overrun_expandrowF04.bin
diff --git a/Tests/test_sgi_crash.py b/Tests/test_sgi_crash.py
@@ -0,0 +1,17 @@
+#!/usr/bin/env python
+import pytest
+from PIL import Image
+
+
+def test_crashes():
+    with open("Tests/images/sgi_crash.bin", "rb") as f:
+        im = Image.open(f)
+        with pytest.raises(IOError):
+            im.load()
+
+
+def test_overrun_crashes():
+    with open("Tests/images/sgi_overrun_expandrowF04.bin", "rb") as f:
+        im = Image.open(f)
+        with pytest.raises(IOError):
+            im.load()
diff --git a/docs/releasenotes/6.2.2.1.rst b/docs/releasenotes/6.2.2.1.rst
@@ -0,0 +1,10 @@
+6.2.2.1
+-------
+
+Security
+========
+
+This release addresses CVE-2020-11538.
+
+CVE-2019-11538 is regarding SGI images. An out-of-bounds read can occur in the
+parsing of SGI image files.
diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst
@@ -6,6 +6,7 @@ Release Notes
 .. toctree::
   :maxdepth: 2
 
+  6.2.2.1
   6.2.2
   6.2.1
   6.2.0

diff --git a/src/PIL/_version.py b/src/PIL/_version.py
@@ -1,2 +1,2 @@
 # Master version for Pillow
-__version__ = "6.2.2"
+__version__ = "6.2.2.1"
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf)
 static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
 {
     UINT8 pixel, count;
+    int x = 0;
 
     for (;n > 0; n--)
     {
@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
         count = pixel & RLE_MAX_RUN;
         if (!count)
             return count;
-        if (count > xsize) {
+        if (x + count > xsize) {
             return -1;
         }
+        x += count;
         if (pixel & RLE_COPY_FLAG) {
             while(count--) {
                 *dest = *src++;
@@ -62,6 +64,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
 static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
 {
     UINT8 pixel, count;
+    int x = 0;
 
 
     for (;n > 0; n--)
@@ -73,9 +76,10 @@ static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
         count = pixel & RLE_MAX_RUN;
         if (!count)
             return count;
-        if (count > xsize) {
+        if (x + count > xsize) {
             return -1;
         }
+        x += count;
         if (pixel & RLE_COPY_FLAG) {
             while(count--) {
                 memcpy(dest, src, 2);