|
 |
699c67 |
From 357fef8b4bd076e3a15e7ffc58a475626794c7e3 Mon Sep 17 00:00:00 2001
|
|
|
699c67 |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
699c67 |
Date: Fri, 9 Apr 2021 19:41:58 +0200
|
|
|
699c67 |
Subject: [PATCH 4/4] CVE-2021-27921_27922_27923
|
|
|
699c67 |
|
|
|
699c67 |
---
|
|
|
699c67 |
src/PIL/BlpImagePlugin.py | 1 +
|
|
|
699c67 |
src/PIL/IcnsImagePlugin.py | 2 ++
|
|
|
699c67 |
src/PIL/IcoImagePlugin.py | 1 +
|
|
|
699c67 |
3 files changed, 4 insertions(+)
|
|
|
699c67 |
|
|
|
699c67 |
diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
|
|
|
699c67 |
index ec358db..d56d46c 100644
|
|
|
699c67 |
--- a/src/PIL/BlpImagePlugin.py
|
|
|
699c67 |
+++ b/src/PIL/BlpImagePlugin.py
|
|
|
699c67 |
@@ -362,6 +362,7 @@ class BLP1Decoder(_BLPBaseDecoder):
|
|
|
699c67 |
data = jpeg_header + data
|
|
|
699c67 |
data = BytesIO(data)
|
|
|
699c67 |
image = JpegImageFile(data)
|
|
|
699c67 |
+ Image._decompression_bomb_check(image.size)
|
|
|
699c67 |
self.tile = image.tile # :/
|
|
|
699c67 |
self.fd = image.fp
|
|
|
699c67 |
self.mode = image.mode
|
|
|
699c67 |
diff --git a/src/PIL/IcnsImagePlugin.py b/src/PIL/IcnsImagePlugin.py
|
|
|
699c67 |
index b382a73..2292584 100644
|
|
|
699c67 |
--- a/src/PIL/IcnsImagePlugin.py
|
|
|
699c67 |
+++ b/src/PIL/IcnsImagePlugin.py
|
|
|
699c67 |
@@ -110,6 +110,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
|
|
|
699c67 |
if sig[:8] == b'\x89PNG\x0d\x0a\x1a\x0a':
|
|
|
699c67 |
fobj.seek(start)
|
|
|
699c67 |
im = PngImagePlugin.PngImageFile(fobj)
|
|
|
699c67 |
+ Image._decompression_bomb_check(im.size)
|
|
|
699c67 |
return {"RGBA": im}
|
|
|
699c67 |
elif sig[:4] == b'\xff\x4f\xff\x51' \
|
|
|
699c67 |
or sig[:4] == b'\x0d\x0a\x87\x0a' \
|
|
|
699c67 |
@@ -122,6 +123,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
|
|
|
699c67 |
jp2kstream = fobj.read(length)
|
|
|
699c67 |
f = io.BytesIO(jp2kstream)
|
|
|
699c67 |
im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
|
|
|
699c67 |
+ Image._decompression_bomb_check(im.size)
|
|
|
699c67 |
if im.mode != 'RGBA':
|
|
|
699c67 |
im = im.convert('RGBA')
|
|
|
699c67 |
return {"RGBA": im}
|
|
|
699c67 |
diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
|
|
|
699c67 |
index 2b6d1e0..30412ad 100644
|
|
|
699c67 |
--- a/src/PIL/IcoImagePlugin.py
|
|
|
699c67 |
+++ b/src/PIL/IcoImagePlugin.py
|
|
|
699c67 |
@@ -164,6 +164,7 @@ class IcoFile(object):
|
|
|
699c67 |
if data[:8] == PngImagePlugin._MAGIC:
|
|
|
699c67 |
# png frame
|
|
|
699c67 |
im = PngImagePlugin.PngImageFile(self.buf)
|
|
|
699c67 |
+ Image._decompression_bomb_check(im.size)
|
|
|
699c67 |
else:
|
|
|
699c67 |
# XOR + AND mask bmp frame
|
|
|
699c67 |
im = BmpImagePlugin.DibImageFile(self.buf)
|
|
|
699c67 |
--
|
|
|
699c67 |
2.30.2
|
|
|
699c67 |
|