|
 |
e773f2 |
From eaef29c3696cd021147e692360997f4c12377c60 Mon Sep 17 00:00:00 2001
|
|
|
e773f2 |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
e773f2 |
Date: Mon, 14 Jun 2021 09:19:50 +0200
|
|
|
e773f2 |
Subject: [PATCH 2/5] CVE-2021-28678
|
|
|
e773f2 |
|
|
|
e773f2 |
---
|
|
|
e773f2 |
src/PIL/BlpImagePlugin.py | 43 +++++++++++++++++++++------------------
|
|
|
e773f2 |
1 file changed, 23 insertions(+), 20 deletions(-)
|
|
|
e773f2 |
|
|
|
e773f2 |
diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
|
|
|
e773f2 |
index d56d46c..846c83d 100644
|
|
|
e773f2 |
--- a/src/PIL/BlpImagePlugin.py
|
|
|
e773f2 |
+++ b/src/PIL/BlpImagePlugin.py
|
|
|
e773f2 |
@@ -294,33 +294,36 @@ class _BLPBaseDecoder(ImageFile.PyDecoder):
|
|
|
e773f2 |
raise IOError("Truncated Blp file")
|
|
|
e773f2 |
return 0, 0
|
|
|
e773f2 |
|
|
|
e773f2 |
+ def _safe_read(self, length):
|
|
|
e773f2 |
+ return ImageFile._safe_read(self.fd, length)
|
|
|
e773f2 |
+
|
|
|
e773f2 |
def _read_palette(self):
|
|
|
e773f2 |
ret = []
|
|
|
e773f2 |
for i in range(256):
|
|
|
e773f2 |
try:
|
|
|
e773f2 |
- b, g, r, a = struct.unpack("<4B", self.fd.read(4))
|
|
|
e773f2 |
+ b, g, r, a = struct.unpack("<4B", self._safe_read(4))
|
|
|
e773f2 |
except struct.error:
|
|
|
e773f2 |
break
|
|
|
e773f2 |
ret.append((b, g, r, a))
|
|
|
e773f2 |
return ret
|
|
|
e773f2 |
|
|
|
e773f2 |
def _read_blp_header(self):
|
|
|
e773f2 |
- self._blp_compression, = struct.unpack("
|
|
|
e773f2 |
+ self._blp_compression, = struct.unpack("
|
|
|
e773f2 |
|
|
|
e773f2 |
- self._blp_encoding, = struct.unpack("
|
|
|
e773f2 |
- self._blp_alpha_depth, = struct.unpack("
|
|
|
e773f2 |
- self._blp_alpha_encoding, = struct.unpack("
|
|
|
e773f2 |
- self._blp_mips, = struct.unpack("
|
|
|
e773f2 |
+ self._blp_encoding, = struct.unpack("
|
|
|
e773f2 |
+ self._blp_alpha_depth, = struct.unpack("
|
|
|
e773f2 |
+ self._blp_alpha_encoding, = struct.unpack("
|
|
|
e773f2 |
+ self._blp_mips, = struct.unpack("
|
|
|
e773f2 |
|
|
|
e773f2 |
- self.size = struct.unpack("
|
|
|
e773f2 |
+ self.size = struct.unpack("
|
|
|
e773f2 |
|
|
|
e773f2 |
if self.magic == b"BLP1":
|
|
|
e773f2 |
# Only present for BLP1
|
|
|
e773f2 |
- self._blp_encoding, = struct.unpack("
|
|
|
e773f2 |
- self._blp_subtype, = struct.unpack("
|
|
|
e773f2 |
+ self._blp_encoding, = struct.unpack("
|
|
|
e773f2 |
+ self._blp_subtype, = struct.unpack("
|
|
|
e773f2 |
|
|
|
e773f2 |
- self._blp_offsets = struct.unpack("<16I", self.fd.read(16 * 4))
|
|
|
e773f2 |
- self._blp_lengths = struct.unpack("<16I", self.fd.read(16 * 4))
|
|
|
e773f2 |
+ self._blp_offsets = struct.unpack("<16I", self._safe_read(16 * 4))
|
|
|
e773f2 |
+ self._blp_lengths = struct.unpack("<16I", self._safe_read(16 * 4))
|
|
|
e773f2 |
|
|
|
e773f2 |
|
|
|
e773f2 |
class BLP1Decoder(_BLPBaseDecoder):
|
|
|
e773f2 |
@@ -333,7 +336,7 @@ class BLP1Decoder(_BLPBaseDecoder):
|
|
|
e773f2 |
if self._blp_encoding in (4, 5):
|
|
|
e773f2 |
data = bytearray()
|
|
|
e773f2 |
palette = self._read_palette()
|
|
|
e773f2 |
- _data = BytesIO(self.fd.read(self._blp_lengths[0]))
|
|
|
e773f2 |
+ _data = BytesIO(self._safe_read(self._blp_lengths[0]))
|
|
|
e773f2 |
while True:
|
|
|
e773f2 |
try:
|
|
|
e773f2 |
offset, = struct.unpack("
|
|
|
e773f2 |
@@ -355,10 +358,10 @@ class BLP1Decoder(_BLPBaseDecoder):
|
|
|
e773f2 |
def _decode_jpeg_stream(self):
|
|
|
e773f2 |
from PIL.JpegImagePlugin import JpegImageFile
|
|
|
e773f2 |
|
|
|
e773f2 |
- jpeg_header_size, = struct.unpack("
|
|
|
e773f2 |
- jpeg_header = self.fd.read(jpeg_header_size)
|
|
|
e773f2 |
- self.fd.read(self._blp_offsets[0] - self.fd.tell()) # What IS this?
|
|
|
e773f2 |
- data = self.fd.read(self._blp_lengths[0])
|
|
|
e773f2 |
+ jpeg_header_size, = struct.unpack("
|
|
|
e773f2 |
+ jpeg_header = self._safe_read(jpeg_header_size)
|
|
|
e773f2 |
+ self._safe_read(self._blp_offsets[0] - self.fd.tell()) # What IS this?
|
|
|
e773f2 |
+ data = self._safe_read(self._blp_lengths[0])
|
|
|
e773f2 |
data = jpeg_header + data
|
|
|
e773f2 |
data = BytesIO(data)
|
|
|
e773f2 |
image = JpegImageFile(data)
|
|
|
e773f2 |
@@ -380,7 +383,7 @@ class BLP2Decoder(_BLPBaseDecoder):
|
|
|
e773f2 |
# Uncompressed or DirectX compression
|
|
|
e773f2 |
|
|
|
e773f2 |
if self._blp_encoding == BLP_ENCODING_UNCOMPRESSED:
|
|
|
e773f2 |
- _data = BytesIO(self.fd.read(self._blp_lengths[0]))
|
|
|
e773f2 |
+ _data = BytesIO(self._safe_read(self._blp_lengths[0]))
|
|
|
e773f2 |
while True:
|
|
|
e773f2 |
try:
|
|
|
e773f2 |
offset, = struct.unpack("
|
|
|
e773f2 |
@@ -394,7 +397,7 @@ class BLP2Decoder(_BLPBaseDecoder):
|
|
|
e773f2 |
linesize = (self.size[0] + 3) // 4 * 8
|
|
|
e773f2 |
for yb in range((self.size[1] + 3) // 4):
|
|
|
e773f2 |
for d in decode_dxt1(
|
|
|
e773f2 |
- self.fd.read(linesize),
|
|
|
e773f2 |
+ self._safe_read(linesize),
|
|
|
e773f2 |
alpha=bool(self._blp_alpha_depth)
|
|
|
e773f2 |
):
|
|
|
e773f2 |
data += d
|
|
|
e773f2 |
@@ -402,13 +405,13 @@ class BLP2Decoder(_BLPBaseDecoder):
|
|
|
e773f2 |
elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT3:
|
|
|
e773f2 |
linesize = (self.size[0] + 3) // 4 * 16
|
|
|
e773f2 |
for yb in range((self.size[1] + 3) // 4):
|
|
|
e773f2 |
- for d in decode_dxt3(self.fd.read(linesize)):
|
|
|
e773f2 |
+ for d in decode_dxt3(self._safe_read(linesize)):
|
|
|
e773f2 |
data += d
|
|
|
e773f2 |
|
|
|
e773f2 |
elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT5:
|
|
|
e773f2 |
linesize = (self.size[0] + 3) // 4 * 16
|
|
|
e773f2 |
for yb in range((self.size[1] + 3) // 4):
|
|
|
e773f2 |
- for d in decode_dxt5(self.fd.read(linesize)):
|
|
|
e773f2 |
+ for d in decode_dxt5(self._safe_read(linesize)):
|
|
|
e773f2 |
data += d
|
|
|
e773f2 |
else:
|
|
|
e773f2 |
raise BLPFormatError("Unsupported alpha encoding %r" % (
|
|
|
e773f2 |
--
|
|
|
e773f2 |
2.31.1
|
|
|
e773f2 |
|