|
 |
f5c1c7 |
From 1dd0fb64bd3cc221b5877ece4ce2f300245b638f Mon Sep 17 00:00:00 2001
|
|
|
f5c1c7 |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
f5c1c7 |
Date: Mon, 17 Feb 2020 14:19:32 +0100
|
|
|
f5c1c7 |
Subject: [PATCH] CVE-2020-5311
|
|
|
f5c1c7 |
|
|
|
f5c1c7 |
---
|
|
|
f5c1c7 |
src/libImaging/SgiRleDecode.c | 23 +++++++++++++++++------
|
|
|
f5c1c7 |
1 file changed, 17 insertions(+), 6 deletions(-)
|
|
|
f5c1c7 |
|
|
|
f5c1c7 |
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
|
|
f5c1c7 |
index 39e7b3a..6367ae7 100644
|
|
|
f5c1c7 |
--- a/src/libImaging/SgiRleDecode.c
|
|
|
f5c1c7 |
+++ b/src/libImaging/SgiRleDecode.c
|
|
|
f5c1c7 |
@@ -25,7 +25,7 @@ static void read4B(UINT32* dest, UINT8* buf)
|
|
|
f5c1c7 |
*dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
|
|
|
f5c1c7 |
}
|
|
|
f5c1c7 |
|
|
|
f5c1c7 |
-static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
|
|
f5c1c7 |
+static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
|
|
f5c1c7 |
{
|
|
|
f5c1c7 |
UINT8 pixel, count;
|
|
|
f5c1c7 |
|
|
|
f5c1c7 |
@@ -37,6 +37,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
|
|
f5c1c7 |
count = pixel & RLE_MAX_RUN;
|
|
|
f5c1c7 |
if (!count)
|
|
|
f5c1c7 |
return count;
|
|
|
f5c1c7 |
+ if (count > xsize) {
|
|
|
f5c1c7 |
+ return -1;
|
|
|
f5c1c7 |
+ }
|
|
|
f5c1c7 |
if (pixel & RLE_COPY_FLAG) {
|
|
|
f5c1c7 |
while(count--) {
|
|
|
f5c1c7 |
*dest = *src++;
|
|
|
f5c1c7 |
@@ -56,7 +59,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
|
|
f5c1c7 |
return 0;
|
|
|
f5c1c7 |
}
|
|
|
f5c1c7 |
|
|
|
f5c1c7 |
-static int expandrow2(UINT16* dest, UINT16* src, int n, int z)
|
|
|
f5c1c7 |
+static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
|
|
f5c1c7 |
{
|
|
|
f5c1c7 |
UINT8 pixel, count;
|
|
|
f5c1c7 |
|
|
|
f5c1c7 |
@@ -70,6 +73,9 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z)
|
|
|
f5c1c7 |
count = pixel & RLE_MAX_RUN;
|
|
|
f5c1c7 |
if (!count)
|
|
|
f5c1c7 |
return count;
|
|
|
f5c1c7 |
+ if (count > xsize) {
|
|
|
f5c1c7 |
+ return -1;
|
|
|
f5c1c7 |
+ }
|
|
|
f5c1c7 |
if (pixel & RLE_COPY_FLAG) {
|
|
|
f5c1c7 |
while(count--) {
|
|
|
f5c1c7 |
*dest = *src++;
|
|
|
f5c1c7 |
@@ -95,6 +101,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
|
f5c1c7 |
UINT8 *ptr;
|
|
|
f5c1c7 |
SGISTATE *c;
|
|
|
f5c1c7 |
int err = 0;
|
|
|
f5c1c7 |
+ int status;
|
|
|
f5c1c7 |
|
|
|
f5c1c7 |
/* Get all data from File descriptor */
|
|
|
f5c1c7 |
c = (SGISTATE*)state->context;
|
|
|
f5c1c7 |
@@ -163,12 +170,16 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
|
|
f5c1c7 |
|
|
|
f5c1c7 |
/* row decompression */
|
|
|
f5c1c7 |
if (c->bpc ==1) {
|
|
|
f5c1c7 |
- if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
|
|
|
f5c1c7 |
- goto sgi_finish_decode;
|
|
|
f5c1c7 |
+ status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
|
|
f5c1c7 |
}
|
|
|
f5c1c7 |
else {
|
|
|
f5c1c7 |
- if(expandrow2((UINT16*)&state->buffer[c->channo * 2], (UINT16*)&ptr[c->rleoffset], c->rlelength, im->bands))
|
|
|
f5c1c7 |
- goto sgi_finish_decode;
|
|
|
f5c1c7 |
+ status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
|
|
f5c1c7 |
+ }
|
|
|
f5c1c7 |
+ if (status == -1) {
|
|
|
f5c1c7 |
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
|
|
f5c1c7 |
+ return -1;
|
|
|
f5c1c7 |
+ } else if (status == 1) {
|
|
|
f5c1c7 |
+ goto sgi_finish_decode;
|
|
|
f5c1c7 |
}
|
|
|
f5c1c7 |
|
|
|
f5c1c7 |
state->count += c->rlelength;
|
|
|
f5c1c7 |
--
|
|
|
f5c1c7 |
2.24.1
|
|
|
f5c1c7 |
|