From 8b8076bdcb3815be0ef0d279651d8d1342b8ea61 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Sat, 23 Jan 2021 11:36:50 +0100
Subject: [PATCH] Fix for CVE-2021-25291

* Invalid tile boundaries lead to OOB Read in TiffDecode.c, in TiffReadRGBATile
* Check the tile validity before attempting to read.
---
 ...-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif | Bin 0 -> 3728 bytes
 Tests/test_tiff_crashes.py                       |   1 +
 src/libImaging/TiffDecode.c                      |   9 +++++++++
 3 files changed, 10 insertions(+)
 create mode 100644 Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif

diff --git a/Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif b/Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif
new file mode 100644
index 0000000000000000000000000000000000000000..b89203f75c40ec004e9a37d04caa7ba1c1aee085
GIT binary patch
literal 3728
zcmeHJU1%It6h3!mvTpv`ByO`93yvFYX=!$6XE$kfZ6s;hz-p~OK@3R2jY-?2NmJ8>
zjc-AP2=&E06@}uHeGrl2OCJPr5%*;&6!gLBQy&6aDB6cgtnB!mnR_Rb%_deNis%{c
z+%sp+J^%OIo6GH|FcGy05;_TB5i&?foI*f6&~zi@d`bJ;NE4c2G&DFKTomp+EkD&%
zRS4#a1W9_oo5*p9mZolzZVU*WwK7yrR4SMp=T=Ty)lAB&kO5R$#r&GYK_*?|`xePH
z*pnxyT^Q8;;@JQPd+M%~rtFm~3oo6XDnJ20tO$>0+|^t=A?@SpZ=wo|B`E7!eCys}
zRLc4uT#XoG*N8gHn)NX74}eF@8X`;7AMc}w%7WVHQ~C__t}@~c`p-M@0(4<iKz|%`
z4*m-8J!M3qkLV8Ye7S{S8Qu9%&}CN+e7fxU97Zm~G~8Mr0x7A3)?ZUYh2CAIBJ4de
zBwmJp(r4Bl1#U$0r%d3xF}4jQHZmZkT|f<cegk87Kr>3njUfI>%v;5I+IPT8rqk(1
z_GSk9?L&4dex1^;&>F}5&pMF_kbJg3LO3Fwo*94cJwBN|dp<imS;!}1=0bL1_FUo2
zKx}AYZhX=ld*(TFcy4~u?2Y&KylPpt)~*}0++htp_~`SmHN^7oUWptY|Kca-2I-r@
zZTX|QK0_Em<}HA7rW9sP(5|&mf7eMRk@8DDBL769yuhF)Oe+{Q$tl$XpLu#q*h-XF
z^C)=TIIL`JB^p*ZY&rs~nC%ih_R3MXbaX5?qWNVTAsB8n(sghQf-R_QbWIBFxYt7Z
z9-<QX-gv8pRxxuCezK&KiMa`DuPg!Kx))EqhxY}HjWBqe+y&v|gBySPl&=-mwK6!w
zc;(VD%-&|;-t<HOh#r6sP|J^;HGL7ZRO+C$EZjK5KEqxPQ3L$sOxerb5?8&f9b|78
z0h>_0YzE3zr{&(MIxXXTG(aweFu2q5&b*1C%7uHE>JLu?kFs_56Tz<_i3PIox33E7
z2xMZtaF6FBsQ#gP&v84n(AH%!iEpAngTR-F1}cPhyoua``XdJCmfg{oDiyiuy~AqL
zgNjQJoXWyhY>j4!W7D}7RP5S-tJoD#D7E?8&RL`6hEX8Dz!vXRQfKZ)KV0iBVAo`Q
zlTbl^I@$C(@GaAV9r@-WXNjv0^$CACGr8P1&Z^`5x_XzZwHtlbNxN}8^SM)PM(eO_
zGZ{~&`z_l(VA@vFPFM#M$=;r1f7a^Drh82Zu_v3%L-P|Sv!h2w%!Sz*bi{d?kc;A<
zZhCNdv%IQ3acmK>;39S}R~#bVF&!jNM=qDK;hCw?!u%AtaBjYkFQPTv-`T2)4g7xF
zb7`!y(N}q!RdQb-8W9GjY2t*~u*|#id4<CNYp*Yxl$6XsVETJ+eg17=`?a^0LX@t*
z5B>ueNKQB4*}vc-xz#-kD*kV?d<*#3wb_Z21F_SE!ntfBQ7jhY#iT8}fqQFScctFg
kya%~|*K6LjQtkNM{Ha7TlgT73J7L>BX!bqlU(XEu4zt$kbpQYW

literal 0
HcmV?d00001

diff --git a/Tests/test_tiff_crashes.py b/Tests/test_tiff_crashes.py
index 4e68c5c5526..ae4d0f1006e 100644
--- a/Tests/test_tiff_crashes.py
+++ b/Tests/test_tiff_crashes.py
@@ -32,6 +32,7 @@
         "Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif",
         "Tests/images/crash-86214e58da443d2b80820cff9677a38a33dcbbca.tif",
         "Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif",
+        "Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif",
     ],
 )
 @pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")
diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
index 6cebe0bcab1..cd47158f39e 100644
--- a/src/libImaging/TiffDecode.c
+++ b/src/libImaging/TiffDecode.c
@@ -479,6 +479,15 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
 
         for (y = state->yoff; y < state->ysize; y += tile_length) {
             for (x = state->xoff; x < state->xsize; x += tile_width) {
+                /* Sanity Check. Apparently in some cases, the TiffReadRGBA* functions
+                   have a different view of the size of the tiff than we're getting from
+                   other functions. So, we need to check here. 
+                */
+                if (!TIFFCheckTile(tiff, x, y, 0, 0)) {
+                    TRACE(("Check Tile Error, Tile at %dx%d\n", x, y));
+                    state->errcode = IMAGING_CODEC_BROKEN;
+                    goto decode_err;
+                }
                 if (isYCbCr) {
                     /* To avoid dealing with YCbCr subsampling, let libtiff handle it */
                     if (!TIFFReadRGBATile(tiff, x, y, (UINT32 *)state->buffer)) {