Skip to content

Commit

Permalink
Merge pull request #4506 from hugovk/fix_pcx
Browse files Browse the repository at this point in the history
Fix bounds overflow in PCX decoding
  • Loading branch information
hugovk authored Apr 1, 2020
2 parents 9650ac4 + ada137e commit f260acc
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 4 deletions.
Binary file added Tests/images/01r_00.pcx
Binary file not shown.
4 changes: 4 additions & 0 deletions Tests/test_image.py
Original file line number Diff line number Diff line change
Expand Up @@ -638,13 +638,17 @@ def test_pillow_version(self, test_module):
assert test_module.PILLOW_VERSION > "7.0.0"

def test_overrun(self):
""" For overrun completeness, test as:
valgrind pytest -qq Tests/test_image.py::TestImage::test_overrun | grep decode.c
"""
for file in [
"fli_overrun.bin",
"sgi_overrun.bin",
"sgi_overrun_expandrow.bin",
"sgi_overrun_expandrow2.bin",
"pcx_overrun.bin",
"pcx_overrun2.bin",
"01r_00.pcx",
]:
with Image.open(os.path.join("Tests/images", file)) as im:
try:
Expand Down
5 changes: 1 addition & 4 deletions src/libImaging/PcxDecode.c
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,7 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
UINT8 n;
UINT8* ptr;

if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
} else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
if ((state->xsize * state->bits + 7) / 8 > state->bytes) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
}
Expand Down

0 comments on commit f260acc

Please sign in to comment.