61 lines
2.7 KiB
Diff
61 lines
2.7 KiB
Diff
From 480f6819b592d7f07b9a9a52a7656c10bbe07442 Mon Sep 17 00:00:00 2001
|
|
From: Eric Soroos <eric-github@soroos.net>
|
|
Date: Wed, 24 Feb 2021 23:27:07 +0100
|
|
Subject: [PATCH] Fix Memory DOS in Icns, Ico and Blp Image Plugins
|
|
|
|
Some container plugins that could contain images of other formats,
|
|
such as the ICNS format, did not properly check the reported size of
|
|
the contained image. These images could cause arbitrariliy large
|
|
memory allocations.
|
|
|
|
This is fixed for all locations where individual *ImageFile classes
|
|
are created without going through the usual Image.open method.
|
|
---
|
|
|
|
src/PIL/BlpImagePlugin.py | 1 +
|
|
src/PIL/IcnsImagePlugin.py | 2 ++
|
|
src/PIL/IcoImagePlugin.py | 1 +
|
|
3 files changed, 4 insertions(+)
|
|
|
|
diff -Nuar Pillow-8.1.1-old/src/PIL/BlpImagePlugin.py Pillow-8.1.1/src/PIL/BlpImagePlugin.py
|
|
--- Pillow-8.1.1-old/src/PIL/BlpImagePlugin.py 2021-03-13 16:44:33.159000000 +0800
|
|
+++ Pillow-8.1.1/src/PIL/BlpImagePlugin.py 2021-03-13 16:51:52.803000000 +0800
|
|
@@ -353,6 +353,7 @@
|
|
data = jpeg_header + data
|
|
data = BytesIO(data)
|
|
image = JpegImageFile(data)
|
|
+ Image._decompression_bomb_check(image.size)
|
|
self.tile = image.tile # :/
|
|
self.fd = image.fp
|
|
self.mode = image.mode
|
|
diff -Nuar Pillow-8.1.1-old/src/PIL/IcnsImagePlugin.py Pillow-8.1.1/src/PIL/IcnsImagePlugin.py
|
|
--- Pillow-8.1.1-old/src/PIL/IcnsImagePlugin.py 2021-03-13 16:44:33.160000000 +0800
|
|
+++ Pillow-8.1.1/src/PIL/IcnsImagePlugin.py 2021-03-13 16:54:10.925000000 +0800
|
|
@@ -105,6 +105,7 @@
|
|
if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a":
|
|
fobj.seek(start)
|
|
im = PngImagePlugin.PngImageFile(fobj)
|
|
+ Image._decompression_bomb_check(im.size)
|
|
return {"RGBA": im}
|
|
elif (
|
|
sig[:4] == b"\xff\x4f\xff\x51"
|
|
@@ -120,6 +121,7 @@
|
|
fobj.seek(start)
|
|
jp2kstream = fobj.read(length)
|
|
f = io.BytesIO(jp2kstream)
|
|
+ Image._decompression_bomb_check(im.size)
|
|
im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
|
|
if im.mode != "RGBA":
|
|
im = im.convert("RGBA")
|
|
diff -Nuar Pillow-8.1.1-old/src/PIL/IcoImagePlugin.py Pillow-8.1.1/src/PIL/IcoImagePlugin.py
|
|
--- Pillow-8.1.1-old/src/PIL/IcoImagePlugin.py 2021-03-13 16:44:33.160000000 +0800
|
|
+++ Pillow-8.1.1/src/PIL/IcoImagePlugin.py 2021-03-13 16:55:31.306000000 +0800
|
|
@@ -178,6 +178,7 @@
|
|
if data[:8] == PngImagePlugin._MAGIC:
|
|
# png frame
|
|
im = PngImagePlugin.PngImageFile(self.buf)
|
|
+ Image._decompression_bomb_check(im.size)
|
|
else:
|
|
# XOR + AND mask bmp frame
|
|
im = BmpImagePlugin.DibImageFile(self.buf)
|