From f91c78960495efa04c7f12eeb916158d4bfbabc4 Mon Sep 17 00:00:00 2001

From: Lumir Balhar <lbalhar@redhat.com>

Date: Mon, 13 Jul 2020 15:40:11 +0200

Subject: [PATCH] CVE-2020-11538

---

 src/libImaging/SgiRleDecode.c | 8 ++++++--

 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c

index 6367ae7..eb8fc84 100644

--- a/src/libImaging/SgiRleDecode.c

+++ b/src/libImaging/SgiRleDecode.c

@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf)

 static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)

 {

     UINT8 pixel, count;

+    int x = 0;

     for (;n > 0; n--)

     {

@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)

         count = pixel & RLE_MAX_RUN;

         if (!count)

             return count;

-        if (count > xsize) {

+        if (x + count > xsize) {

             return -1;

         }

+        x += count;

         if (pixel & RLE_COPY_FLAG) {

             while(count--) {

                 *dest = *src++;

@@ -63,6 +65,7 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)

 {

     UINT8 pixel, count;

+    int x = 0;

     for (;n > 0; n--)

     {

@@ -73,9 +76,10 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)

         count = pixel & RLE_MAX_RUN;

         if (!count)

             return count;

-        if (count > xsize) {

+        if (x + count > xsize) {

             return -1;

         }

+        x += count;

         if (pixel & RLE_COPY_FLAG) {

             while(count--) {

                 *dest = *src++;

-- 

2.26.2