From fe7b41b4381325a83707ea9bbd0062812dc8dfc2 Mon Sep 17 00:00:00 2001 From: wiredfool Date: Thu, 29 Sep 2016 07:05:00 -0700 Subject: [PATCH] Map.c overflow fixes --- Tests/images/l2rgb_read.bmp | Bin 0 -> 57 bytes Tests/test_map.py | 25 +++++++++++++++++++++++++ map.c | 10 ++++++++++ 3 files changed, 35 insertions(+) create mode 100644 Tests/images/l2rgb_read.bmp create mode 100644 Tests/test_map.py diff --git a/Tests/images/l2rgb_read.bmp b/Tests/images/l2rgb_read.bmp new file mode 100644 index 0000000000000000000000000000000000000000..838e3226b07aa7214876e6fed83681b61c743a68 GIT binary patch literal 57 kcmZ?rHGqNt|LZjv7#M(D1_Ln70wlqFm SIZE_MAX bytes in the image or if + # the file encodes an offset that makes + # (offset + size(bytes)) > SIZE_MAX + + # Note that this image triggers the decompression bomb warning: + max_pixels = Image.MAX_IMAGE_PIXELS + Image.MAX_IMAGE_PIXELS = None + + # This image hits the offset test. + im = Image.open('Tests/images/l2rgb_read.bmp') + with self.assertRaises((ValueError, MemoryError)): + im.load() + + Image.MAX_IMAGE_PIXELS = max_pixels + + +if __name__ == '__main__': + unittest.main() diff --git a/map.c b/map.c index 7309a7bd735..3637ee86a0a 100644 --- a/map.c +++ b/map.c @@ -342,8 +342,18 @@ PyImaging_MapBuffer(PyObject* self, PyObject* args) stride = xsize * 4; } + if (ysize > INT_MAX / stride) { + PyErr_SetString(PyExc_MemoryError, "Integer overflow in ysize"); + return NULL; + } + size = (Py_ssize_t) ysize * stride; + if (offset > SIZE_MAX - size) { + PyErr_SetString(PyExc_MemoryError, "Integer overflow in offset"); + return NULL; + } + /* check buffer size */ if (PyImaging_GetBuffer(target, &view) < 0) return NULL;