Overview

File 021-CVE-2021-28676.patch of Package python-Pillow

From bb6c11fb889e6c11b0ee122b828132ee763b5856 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Thu, 11 Mar 2021 22:12:35 +0100
Subject: [PATCH] Fix FLI DOS -- CVE-2021-28676

* FliDecode did not properly check that the block advance was
  non-zero, potentally leading to an infinite loop on load.
* This dates to the PIL Fork
* Found with oss-fuzz
---
 ...-9139147ce93e20eb14088fe238e541443ffd64b3.fli | Bin 0 -> 200 bytes
 ...-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli | Bin 0 -> 159 bytes
 Tests/test_file_fli.py                           |  15 +++++++++++++++
 libImaging/FliDecode.c                       |   5 +++++
 4 files changed, 20 insertions(+)
 create mode 100644 Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli
 create mode 100644 Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli

diff --git a/Tests/test_file_fli.py b/Tests/test_file_fli.py
index 0d9748a95db..1c1abf2b175 100644
--- a/Tests/test_file_fli.py
+++ b/Tests/test_file_fli.py
@@ -79,6 +79,18 @@ def test_seek():
         expected = Image.open("Tests/images/a_fli.png")
         self.assert_image_equal(im, expected)
 
+    # @pytest.mark.timeout(timeout=3) # not available in unittest
+    def test_timeouts(self):
+        test_files = [
+            "Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli",
+            "Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli",
+        ]
+        for test_file in test_files:
+            with open(test_file, "rb") as f:
+                with Image.open(f) as im:
+                    with self.assertRaises(IOError):
+                        im.load()
+
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/libImaging/FliDecode.c b/libImaging/FliDecode.c
index e9000fc99e1..35a6ccccc8b 100644
--- a/libImaging/FliDecode.c
+++ b/libImaging/FliDecode.c
@@ -232,6 +232,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt
 	    return -1;
 	}
 	advance = I32(ptr);
+	if (advance == 0 ) {
+	    // If there's no advance, we're in in infinite loop
+	    state->errcode = IMAGING_CODEC_BROKEN;
+	    return -1;
+	}
 	if (advance < 0 || advance > bytes) {
 	    state->errcode = IMAGING_CODEC_OVERRUN;
 	    return -1;
openSUSE Build Service is sponsored by
Places