cdbee0
From 2e2244d195c4fe8b2550afa1add46c0ad2402830 Mon Sep 17 00:00:00 2001
cdbee0
From: Lumir Balhar <lbalhar@redhat.com>
cdbee0
Date: Wed, 4 Mar 2020 08:55:10 +0100
cdbee0
Subject: [PATCH] CVE-2020-5313
cdbee0
cdbee0
---
cdbee0
 python-imaging-Pillow-d1c6db8/libImaging/FliDecode.c | 8 ++++++--
cdbee0
 1 file changed, 6 insertions(+), 2 deletions(-)
cdbee0
cdbee0
diff --git a/python-imaging-Pillow-d1c6db8/libImaging/FliDecode.c b/python-imaging-Pillow-d1c6db8/libImaging/FliDecode.c
cdbee0
index 940171f..5004d39 100644
cdbee0
--- a/python-imaging-Pillow-d1c6db8/libImaging/FliDecode.c
cdbee0
+++ b/python-imaging-Pillow-d1c6db8/libImaging/FliDecode.c
cdbee0
@@ -40,8 +40,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
cdbee0
 	return 0;
cdbee0
 
cdbee0
     /* We don't decode anything unless we have a full chunk in the
cdbee0
-       input buffer (on the other hand, the Python part of the driver
cdbee0
-       makes sure this is always the case) */
cdbee0
+       input buffer */
cdbee0
 
cdbee0
     ptr = buf;
cdbee0
 
cdbee0
@@ -52,6 +51,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
cdbee0
     /* Make sure this is a frame chunk.  The Python driver takes
cdbee0
        case of other chunk types. */
cdbee0
 
cdbee0
+    if (bytes < 8) {
cdbee0
+        state->errcode = IMAGING_CODEC_OVERRUN;
cdbee0
+        return -1;
cdbee0
+    }
cdbee0
+
cdbee0
     if (I16(ptr+4) != 0xF1FA) {
cdbee0
 	state->errcode = IMAGING_CODEC_UNKNOWN;
cdbee0
 	return -1;
cdbee0
-- 
cdbee0
2.24.1
cdbee0