Fix 6-byte OOB read in FliDecode

python-pillow · Sep 2, 2021 · 94a0cf1 · 94a0cf1
1 parent cece64f
commit 94a0cf1
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
@@ -223,8 +223,15 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt
                 break;
             case 16:
                 /* COPY chunk */
-                if (state->xsize > bytes / state->ysize) {
+                if (INT32_MAX / state->xsize < state->ysize) {
+                    /* Integer overflow, bail */
+                    state->errcode = IMAGING_CODEC_OVERRUN;
+                    return -1;
+                }
+                /* Note, have to check Data + size, not just ptr + size) */
+                if (data + (state->xsize * state->ysize) > ptr + bytes) {
                     /* not enough data for frame */
+                    /* UNDONE Unclear that we're actually going to leave the buffer at the right place. */
                     return ptr - buf; /* bytes consumed */
                 }
                 for (y = 0; y < state->ysize; y++) {