From 480f6819b592d7f07b9a9a52a7656c10bbe07442 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Wed, 24 Feb 2021 23:27:07 +0100
Subject: [PATCH] Fix Memory DOS in Icns, Ico and Blp Image Plugins

Some container plugins that could contain images of other formats,
such as the ICNS format, did not properly check the reported size of
the contained image. These images could cause arbitrariliy large
memory allocations.

This is fixed for all locations where individual *ImageFile classes
are created without going through the usual Image.open method.
---
 
 src/PIL/BlpImagePlugin.py                      |   1 +
 src/PIL/IcnsImagePlugin.py                     |   2 ++
 src/PIL/IcoImagePlugin.py                      |   1 +
 3 files changed, 4 insertions(+)
 
diff -Nuar Pillow-8.1.1-old/src/PIL/BlpImagePlugin.py Pillow-8.1.1/src/PIL/BlpImagePlugin.py
--- Pillow-8.1.1-old/src/PIL/BlpImagePlugin.py  2021-03-13 16:44:33.159000000 +0800
+++ Pillow-8.1.1/src/PIL/BlpImagePlugin.py      2021-03-13 16:51:52.803000000 +0800
@@ -353,6 +353,7 @@
         data = jpeg_header + data
         data = BytesIO(data)
         image = JpegImageFile(data)
+        Image._decompression_bomb_check(image.size)
         self.tile = image.tile  # :/
         self.fd = image.fp
         self.mode = image.mode
diff -Nuar Pillow-8.1.1-old/src/PIL/IcnsImagePlugin.py Pillow-8.1.1/src/PIL/IcnsImagePlugin.py
--- Pillow-8.1.1-old/src/PIL/IcnsImagePlugin.py 2021-03-13 16:44:33.160000000 +0800
+++ Pillow-8.1.1/src/PIL/IcnsImagePlugin.py     2021-03-13 16:54:10.925000000 +0800
@@ -105,6 +105,7 @@
     if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a":
         fobj.seek(start)
         im = PngImagePlugin.PngImageFile(fobj)
+        Image._decompression_bomb_check(im.size)
         return {"RGBA": im}
     elif (
         sig[:4] == b"\xff\x4f\xff\x51"
@@ -120,6 +121,7 @@
         fobj.seek(start)
         jp2kstream = fobj.read(length)
         f = io.BytesIO(jp2kstream)
+        Image._decompression_bomb_check(im.size)
         im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
         if im.mode != "RGBA":
             im = im.convert("RGBA")
diff -Nuar Pillow-8.1.1-old/src/PIL/IcoImagePlugin.py Pillow-8.1.1/src/PIL/IcoImagePlugin.py
--- Pillow-8.1.1-old/src/PIL/IcoImagePlugin.py  2021-03-13 16:44:33.160000000 +0800
+++ Pillow-8.1.1/src/PIL/IcoImagePlugin.py      2021-03-13 16:55:31.306000000 +0800
@@ -178,6 +178,7 @@
         if data[:8] == PngImagePlugin._MAGIC:
             # png frame
             im = PngImagePlugin.PngImageFile(self.buf)
+            Image._decompression_bomb_check(im.size)
         else:
             # XOR + AND mask bmp frame
             im = BmpImagePlugin.DibImageFile(self.buf)