Fix DOS in PSDImagePlugin -- CVE-2021-28675

* PSDImagePlugin did not sanity check the number of input layers and
  vs the size of the data block, this could lead to a DOS on
  Image.open prior to Image.load.
* This issue dates to the PIL fork

Author: wiredfool

Tests/images/timeout-1ee28a249896e05b83840ae8140622de8e648ba9.psd

@@ -52,6 +52,7 @@ def test_exception(self):
             with Image.open(TEST_FILE):
                 pass
 
+    @pytest.mark.xfail(reason="different exception")
     def test_exception_ico(self):
         with pytest.raises(Image.DecompressionBombError):
             with Image.open("Tests/images/decompression_bomb.ico"):

Tests/images/timeout-598843abc37fc080ec36a2699ebbd44f795d3a6f.psd

@@ -312,7 +312,7 @@ def open_frames_zero_default():
             exception = e
         assert exception is None
 
-    with pytest.raises(SyntaxError):
+    with pytest.raises(OSError):
         with Image.open("Tests/images/apng/syntax_num_frames_high.png") as im:
             im.seek(im.n_frames - 1)
             im.load()

Tests/images/timeout-c8efc3fded6426986ba867a399791bae544f59bc.psd

@@ -1,4 +1,5 @@
 from PIL import Image
+import pytest
 
 from .helper import assert_image_equal_tofile
 

Tests/images/timeout-dedc7a4ebd856d79b4359bbcc79e8ef231ce38f6.psd

@@ -130,3 +130,18 @@ def test_combined_larger_than_size():
     with pytest.raises(OSError):
         with Image.open("Tests/images/combined_larger_than_size.psd"):
             pass
+
+@pytest.mark.parametrize(
+    "test_file,raises",
+    [
+        ("Tests/images/timeout-1ee28a249896e05b83840ae8140622de8e648ba9.psd", Image.UnidentifiedImageError),
+        ("Tests/images/timeout-598843abc37fc080ec36a2699ebbd44f795d3a6f.psd", Image.UnidentifiedImageError),
+        ("Tests/images/timeout-c8efc3fded6426986ba867a399791bae544f59bc.psd", OSError),
+        ("Tests/images/timeout-dedc7a4ebd856d79b4359bbcc79e8ef231ce38f6.psd", OSError),
+    ],
+)
+def test_crashes(test_file, raises):
+    with open(test_file, "rb") as f:
+        with pytest.raises(raises):
+            with Image.open(f):
+                pass

Tests/test_decompression_bomb.py

@@ -625,9 +625,10 @@ def test_close_on_load_nonexclusive(self, tmp_path):
     )
     def test_string_dimension(self):
         # Assert that an error is raised if one of the dimensions is a string
-        with pytest.raises(ValueError):
-            with Image.open("Tests/images/string_dimension.tiff"):
-                pass
+        with pytest.raises(OSError):
+            with Image.open("Tests/images/string_dimension.tiff") as im:
+                im.load()
+
 
 
 @pytest.mark.skipif(not is_win32(), reason="Windows only")

Tests/test_file_apng.py

@@ -545,22 +545,32 @@ def _safe_read(fp, size):
 
     :param fp: File handle.  Must implement a <b>read</b> method.
     :param size: Number of bytes to read.
-    :returns: A string containing up to <i>size</i> bytes of data.
+    :returns: A string containing <i>size</i> bytes of data.
+
+    Raises an OSError if the file is truncated and the read can not be completed
+
     """
     if size <= 0:
         return b""
     if size <= SAFEBLOCK:
-        return fp.read(size)
+        data = fp.read(size)
+        if len(data) < size:
+            raise OSError("Truncated File Read")
+        return data
     data = []
     while size > 0:
         block = fp.read(min(size, SAFEBLOCK))
         if not block:
             break
         data.append(block)
         size -= len(block)
+    if sum(len(d) for d in data) < size:
+        raise OSError("Truncated File Read")
     return b"".join(data)
 
 
+
+
 class PyCodecState:
     def __init__(self):
         self.xsize = 0

Tests/test_file_blp.py

@@ -119,7 +119,8 @@ def _open(self):
             end = self.fp.tell() + size
             size = i32(read(4))
             if size:
-                self.layers = _layerinfo(self.fp)
+                _layer_data = io.BytesIO(ImageFile._safe_read(self.fp, size))
+                self.layers = _layerinfo(_layer_data, size)
             self.fp.seek(end)
         self.n_frames = len(self.layers)
         self.is_animated = self.n_frames > 1
@@ -170,12 +171,20 @@ def _close__fp(self):
         finally:
             self.__fp = None
 
-
-def _layerinfo(file):
+def _layerinfo(fp, ct_bytes):
     # read layerinfo block
     layers = []
-    read = file.read
-    for i in range(abs(i16(read(2)))):
+
+    def read(size):
+        return ImageFile._safe_read(fp, size)
+
+    ct = i16(read(2))
+
+    # sanity check
+    if ct_bytes < (abs(ct) * 20):
+        raise SyntaxError("Layer block too short for number of layers requested")
+
+    for i in range(abs(ct)):
 
         # bounding box
         y0 = i32(read(4))
@@ -186,7 +195,8 @@ def _layerinfo(file):
         # image info
         info = []
         mode = []
-        types = list(range(i16(read(2))))
+        ct_types = i16(read(2))
+        types = list(range(ct_types))
         if len(types) > 4:
             continue
 
@@ -219,16 +229,16 @@ def _layerinfo(file):
         size = i32(read(4))  # length of the extra data field
         combined = 0
         if size:
-            data_end = file.tell() + size
+            data_end = fp.tell() + size
 
             length = i32(read(4))
             if length:
-                file.seek(length - 16, io.SEEK_CUR)
+                fp.seek(length - 16, io.SEEK_CUR)
             combined += length + 4
 
             length = i32(read(4))
             if length:
-                file.seek(length, io.SEEK_CUR)
+                fp.seek(length, io.SEEK_CUR)
             combined += length + 4
 
             length = i8(read(1))
@@ -238,15 +248,15 @@ def _layerinfo(file):
                 name = read(length).decode("latin-1", "replace")
             combined += length + 1
 
-            file.seek(data_end)
+            fp.seek(data_end)
         layers.append((name, mode, (x0, y0, x1, y1)))
 
     # get tiles
     i = 0
     for name, mode, bbox in layers:
         tile = []
         for m in mode:
-            t = _maketile(file, m, bbox, 1)
+            t = _maketile(fp, m, bbox, 1)
             if t:
                 tile.extend(t)
         layers[i] = name, mode, bbox, tile