python-pillow/Pillow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Avoid overflow by not adding extents together

Browse Source
This commit is contained in:
Andrew Murray 2026-02-18 22:24:03 +11:00 committed by Hugo van Kemenade
parent d66a77223b
commit 4bada07dc6
4 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Tests/images/psd-oob-write-overflow.psd Normal file
View File

Binary file not shown.

2
Tests/test_file_psd.py
View File

@ -195,11 +195,13 @@ def test_layer_crashes(test_file: str) -> None:
"Tests/images/psd-oob-write.psd",
"Tests/images/psd-oob-write-x.psd",
"Tests/images/psd-oob-write-y.psd",
"Tests/images/psd-oob-write-overflow.psd",
],
)
def test_bounds_crash(test_file: str) -> None:
with Image.open(test_file) as im:
assert isinstance(im, PsdImagePlugin.PsdImageFile)
im.load()
im.seek(im.n_frames)
with pytest.raises(ValueError):

13
src/decode.c
View File

@ -171,6 +171,12 @@ _setimage(ImagingDecoderObject *decoder, PyObject *args) {
return NULL;
}
if (x0 < 0 || y0 < 0 || x1 <= x0 || y1 <= y0 || x1 > (int)im->xsize ||
y1 > (int)im->ysize) {
PyErr_SetString(PyExc_ValueError, "tile cannot extend outside image");
return NULL;
}
decoder->im = im;
state = &decoder->state;
@ -181,13 +187,6 @@ _setimage(ImagingDecoderObject *decoder, PyObject *args) {
state->xsize = x1 - x0;
state->ysize = y1 - y0;
if (state->xoff < 0 || state->xsize <= 0 ||
state->xsize + state->xoff > (int)im->xsize || state->yoff < 0 ||
state->ysize <= 0 || state->ysize + state->yoff > (int)im->ysize) {
PyErr_SetString(PyExc_ValueError, "tile cannot extend outside image");
return NULL;
}
/* Allocate memory buffer (if bits field is set) */
if (state->bits > 0) {
if (!state->bytes) {

12
src/encode.c
View File

@ -244,6 +244,11 @@ _setimage(ImagingEncoderObject *encoder, PyObject *args) {
return NULL;
}
if (x0 < 0 || y0 < 0 || x1 <= x0 || y1 <= y0 || x1 > im->xsize || y1 > im->ysize) {
PyErr_SetString(PyExc_SystemError, "tile cannot extend outside image");
return NULL;
}
encoder->im = im;
state = &encoder->state;
@ -253,13 +258,6 @@ _setimage(ImagingEncoderObject *encoder, PyObject *args) {
state->xsize = x1 - x0;
state->ysize = y1 - y0;
if (state->xoff < 0 || state->xsize <= 0 ||
state->xsize + state->xoff > im->xsize || state->yoff < 0 ||
state->ysize <= 0 || state->ysize + state->yoff > im->ysize) {
PyErr_SetString(PyExc_SystemError, "tile cannot extend outside image");
return NULL;
}
/* Allocate memory buffer (if bits field is set) */
if (state->bits > 0) {
if (state->xsize > ((INT_MAX / state->bits) - 7)) {