From 357fef8b4bd076e3a15e7ffc58a475626794c7e3 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Fri, 9 Apr 2021 19:41:58 +0200 Subject: [PATCH 4/4] CVE-2021-27921_27922_27923 --- src/PIL/BlpImagePlugin.py | 1 + src/PIL/IcnsImagePlugin.py | 2 ++ src/PIL/IcoImagePlugin.py | 1 + 3 files changed, 4 insertions(+) diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py index ec358db..d56d46c 100644 --- a/src/PIL/BlpImagePlugin.py +++ b/src/PIL/BlpImagePlugin.py @@ -362,6 +362,7 @@ class BLP1Decoder(_BLPBaseDecoder): data = jpeg_header + data data = BytesIO(data) image = JpegImageFile(data) + Image._decompression_bomb_check(image.size) self.tile = image.tile # :/ self.fd = image.fp self.mode = image.mode diff --git a/src/PIL/IcnsImagePlugin.py b/src/PIL/IcnsImagePlugin.py index b382a73..2292584 100644 --- a/src/PIL/IcnsImagePlugin.py +++ b/src/PIL/IcnsImagePlugin.py @@ -110,6 +110,7 @@ def read_png_or_jpeg2000(fobj, start_length, size): if sig[:8] == b'\x89PNG\x0d\x0a\x1a\x0a': fobj.seek(start) im = PngImagePlugin.PngImageFile(fobj) + Image._decompression_bomb_check(im.size) return {"RGBA": im} elif sig[:4] == b'\xff\x4f\xff\x51' \ or sig[:4] == b'\x0d\x0a\x87\x0a' \ @@ -122,6 +123,7 @@ def read_png_or_jpeg2000(fobj, start_length, size): jp2kstream = fobj.read(length) f = io.BytesIO(jp2kstream) im = Jpeg2KImagePlugin.Jpeg2KImageFile(f) + Image._decompression_bomb_check(im.size) if im.mode != 'RGBA': im = im.convert('RGBA') return {"RGBA": im} diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py index 2b6d1e0..30412ad 100644 --- a/src/PIL/IcoImagePlugin.py +++ b/src/PIL/IcoImagePlugin.py @@ -164,6 +164,7 @@ class IcoFile(object): if data[:8] == PngImagePlugin._MAGIC: # png frame im = PngImagePlugin.PngImageFile(self.buf) + Image._decompression_bomb_check(im.size) else: # XOR + AND mask bmp frame im = BmpImagePlugin.DibImageFile(self.buf) -- 2.30.2