|
 |
50a37d |
From 697957b79a9473f0f643051265885fb048395127 Mon Sep 17 00:00:00 2001
|
|
|
50a37d |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
50a37d |
Date: Wed, 4 Mar 2020 10:54:54 +0100
|
|
|
50a37d |
Subject: [PATCH] CVE-2020-5313
|
|
|
50a37d |
|
|
|
50a37d |
---
|
|
|
50a37d |
src/libImaging/FliDecode.c | 8 ++++++--
|
|
|
50a37d |
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
50a37d |
|
|
|
50a37d |
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
|
|
|
50a37d |
index a99aca8..72ba138 100644
|
|
|
50a37d |
--- a/src/libImaging/FliDecode.c
|
|
|
50a37d |
+++ b/src/libImaging/FliDecode.c
|
|
|
50a37d |
@@ -40,8 +40,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
|
50a37d |
return 0;
|
|
|
50a37d |
|
|
|
50a37d |
/* We don't decode anything unless we have a full chunk in the
|
|
|
50a37d |
- input buffer (on the other hand, the Python part of the driver
|
|
|
50a37d |
- makes sure this is always the case) */
|
|
|
50a37d |
+ input buffer */
|
|
|
50a37d |
|
|
|
50a37d |
ptr = buf;
|
|
|
50a37d |
|
|
|
50a37d |
@@ -52,6 +51,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
|
|
50a37d |
/* Make sure this is a frame chunk. The Python driver takes
|
|
|
50a37d |
case of other chunk types. */
|
|
|
50a37d |
|
|
|
50a37d |
+ if (bytes < 8) {
|
|
|
50a37d |
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
|
|
50a37d |
+ return -1;
|
|
|
50a37d |
+ }
|
|
|
50a37d |
+
|
|
|
50a37d |
if (I16(ptr+4) != 0xF1FA) {
|
|
|
50a37d |
state->errcode = IMAGING_CODEC_UNKNOWN;
|
|
|
50a37d |
return -1;
|
|
|
50a37d |
--
|
|
|
50a37d |
2.24.1
|
|
|
50a37d |
|