Skip to content

Commit

Permalink
Fix FLI DOS -- CVE-2021-28676
Browse files Browse the repository at this point in the history
* FliDecode did not properly check that the block advance was
  non-zero, potentally leading to an infinite loop on load.
* This dates to the PIL Fork
* Found with oss-fuzz
  • Loading branch information
wiredfool authored and hugovk committed Apr 1, 2021
1 parent 5a5e6db commit bb6c11f
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 0 deletions.
Binary file not shown.
Binary file not shown.
15 changes: 15 additions & 0 deletions Tests/test_file_fli.py
Original file line number Diff line number Diff line change
Expand Up @@ -123,3 +123,18 @@ def test_seek():
im.seek(50)

assert_image_equal_tofile(im, "Tests/images/a_fli.png")


@pytest.mark.parametrize(
"test_file",
[
"Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli",
"Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli",
],
)
@pytest.mark.timeout(timeout=3)
def test_timeouts(test_file):
with open(test_file, "rb") as f:
with Image.open(f) as im:
with pytest.raises(OSError):
im.load()
5 changes: 5 additions & 0 deletions src/libImaging/FliDecode.c
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt
return -1;
}
advance = I32(ptr);
if (advance == 0 ) {
// If there's no advance, we're in in infinite loop
state->errcode = IMAGING_CODEC_BROKEN;
return -1;
}
if (advance < 0 || advance > bytes) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
Expand Down

0 comments on commit bb6c11f

Please sign in to comment.