From d96945b7c8e4287fb5dc3330ee0ba980642eae87 Mon Sep 17 00:00:00 2001 From: Eric Soroos Date: Sat, 26 Dec 2020 19:07:16 +0100 Subject: [PATCH 1/2] Fix Out of bounds read when saving GIF of xsize=1 --- Tests/test_file_gif.py | 8 ++++---- src/libImaging/GifEncode.c | 7 +++++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/Tests/test_file_gif.py b/Tests/test_file_gif.py index 90943ac8f69..198e1b16277 100644 --- a/Tests/test_file_gif.py +++ b/Tests/test_file_gif.py @@ -74,10 +74,10 @@ def test_bilevel(optimize): im.save(test_file, "GIF", optimize=optimize) return len(test_file.getvalue()) - assert test_grayscale(0) == 800 - assert test_grayscale(1) == 44 - assert test_bilevel(0) == 800 - assert test_bilevel(1) == 800 + assert test_grayscale(0) == 799 + assert test_grayscale(1) == 43 + assert test_bilevel(0) == 799 + assert test_bilevel(1) == 799 def test_optimize_correctness(): diff --git a/src/libImaging/GifEncode.c b/src/libImaging/GifEncode.c index e9c6c314918..9f22add2431 100644 --- a/src/libImaging/GifEncode.c +++ b/src/libImaging/GifEncode.c @@ -233,6 +233,13 @@ ImagingGifEncode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) } } + /* Potential special case for xsize==1 */ + if (state->x < state->xsize) { + this = state->buffer[state->x++]; + } else { + EMIT_RUN(label0); + break; + } this = state->buffer[state->x++]; From 250e42f7f864401b87a378771e4b2fa0d6cccafe Mon Sep 17 00:00:00 2001 From: Eric Soroos Date: Wed, 30 Dec 2020 11:07:58 +0100 Subject: [PATCH 2/2] Bad Rebase --- src/libImaging/GifEncode.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/libImaging/GifEncode.c b/src/libImaging/GifEncode.c index 9f22add2431..a0fef993320 100644 --- a/src/libImaging/GifEncode.c +++ b/src/libImaging/GifEncode.c @@ -241,8 +241,6 @@ ImagingGifEncode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) break; } - this = state->buffer[state->x++]; - if (this == context->last) { context->count++; } else {