Overview

File 015-Fix-negative-size-read-in-TiffDecode.patch of Package python-Pillow

From e25be1e33dc526bfd1094bc778a54d8e29bf66c9 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Fri, 8 Jan 2021 18:45:42 +0100
Subject: [PATCH] Fix negative size read in TiffDecode.c

* Caught by oss-fuzz runs
* CVE-2021-25290
---
 ...-0c7e0e8e11ce787078f00b5b0ca409a167f070e0.tif | Bin 0 -> 2529 bytes
 ...-1185209cf7655b5aed8ae5e77784dfdd18ab59e9.tif | Bin 0 -> 1931 bytes
 ...-338516dbd2f0e83caddb8ce256c22db3bd6dc40f.tif | Bin 0 -> 4682 bytes
 ...-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif | Bin 0 -> 4050 bytes
 ...-86214e58da443d2b80820cff9677a38a33dcbbca.tif | Bin 0 -> 286 bytes
 ...-f46f5b2f43c370fe65706c11449f567ecc345e74.tif | Bin 0 -> 1844 bytes
 Tests/test_tiff_crashes.py                       |   8 +++++++-
 libImaging/TiffDecode.c                      |   4 ++++
 8 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 Tests/images/crash-0c7e0e8e11ce787078f00b5b0ca409a167f070e0.tif
 create mode 100644 Tests/images/crash-1185209cf7655b5aed8ae5e77784dfdd18ab59e9.tif
 create mode 100644 Tests/images/crash-338516dbd2f0e83caddb8ce256c22db3bd6dc40f.tif
 create mode 100644 Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif
 create mode 100644 Tests/images/crash-86214e58da443d2b80820cff9677a38a33dcbbca.tif
 create mode 100644 Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif

diff --git a/Tests/test_tiff_crashes.py b/Tests/test_tiff_crashes.py
index eb25334669..4e68c5c552 100644
--- a/Tests/test_tiff_crashes.py
+++ b/Tests/test_tiff_crashes.py
@@ -41,6 +41,21 @@ class TestTiffCrashes(PillowTestCase):
 #    def test_crash_2(self):
 #        self._test("Tests/images/crash_2.tif")
 
+    def test_crash_0c7e0e8e11ce787078f00b5b0ca409a167f070e0(self):
+        self._test("Tests/images/crash-0c7e0e8e11ce787078f00b5b0ca409a167f070e0.tif")
+
+    def test_crash_1185209cf7655b5aed8ae5e77784dfdd18ab59e9(self):
+        self._test("Tests/images/crash-1185209cf7655b5aed8ae5e77784dfdd18ab59e9.tif")
+
+    def test_crash_338516dbd2f0e83caddb8ce256c22db3bd6dc40f(self):
+        self._test("Tests/images/crash-338516dbd2f0e83caddb8ce256c22db3bd6dc40f.tif")
+
+    def test_crash_4f085cc12ece8cde18758d42608bed6a2a2cfb1c(self):
+        self._test("Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif")
+
+    def test_crash_f46f5b2f43c370fe65706c11449f567ecc345e74(self):
+        self._test("Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif")
+
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/libImaging/TiffDecode.c b/libImaging/TiffDecode.c
index f0e2582863..6cebe0bcab 100644
--- a/libImaging/TiffDecode.c
+++ b/libImaging/TiffDecode.c
@@ -36,6 +36,10 @@ tsize_t _tiffReadProc(thandle_t hdata, tdata_t buf, tsize_t size) {
 	TRACE(("_tiffReadProc: %d \n", (int)size));
 	dump_state(state);
 
+	if (state->loc > state->eof) {
+		TIFFError("_tiffReadProc", "Invalid Read at loc %d, eof: %d", state->loc, state->eof);
+		return 0;
+	}
 	to_read = min(size, min(state->size, (tsize_t)state->eof) - (tsize_t)state->loc);
 	TRACE(("to_read: %d\n", (int)to_read));
openSUSE Build Service is sponsored by
Places