Overview

File 005-Catch-PCX-P-mode-buffer-overrun.patch of Package python-Pillow

From 93b22b846e0269ee9594ff71a72bec02d2bea8fd Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sat, 21 Dec 2019 18:38:22 +1100
Subject: [PATCH] Catch PCX P mode buffer overrun

---
 Tests/test_image.py           |   7 ++++++-
 src/libImaging/PcxDecode.c    |   3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/Tests/test_image.py b/Tests/test_image.py
index cd7621e6b6..33657d56cf 100644
--- a/Tests/test_image.py
+++ b/Tests/test_image.py
@@ -535,7 +535,12 @@ def test_no_resource_warning_on_save(self):
             self.assert_warning(None, im.save, temp_file)
 
     def test_overrun(self):
-        for file in ["fli_overrun.bin", "sgi_overrun.bin", "pcx_overrun.bin"]:
+        for file in [
+            "fli_overrun.bin",
+            "sgi_overrun.bin",
+            "pcx_overrun.bin",
+            "pcx_overrun2.bin",
+        ]:
             im = Image.open(os.path.join("Tests/images", file))
             try:
                 im.load()
diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
index 67dcc1e085..9e9504ce5f 100644
--- a/src/libImaging/PcxDecode.c
+++ b/src/libImaging/PcxDecode.c
@@ -25,6 +25,9 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
     if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
         state->errcode = IMAGING_CODEC_OVERRUN;
         return -1;
+    } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
+        state->errcode = IMAGING_CODEC_OVERRUN;
+        return -1;
     }
 
     ptr = buf;
openSUSE Build Service is sponsored by
Places