Corrected negative seeks

radarhere · radarhere · commit 87c43b66a5ff · 2019-09-30T18:31:18.000+10:00
diff --git a/Tests/images/combined_larger_than_size.psd b/Tests/images/combined_larger_than_size.psd
diff --git a/Tests/images/raw_negative_stride.bin b/Tests/images/raw_negative_stride.bin
diff --git a/Tests/test_file_psd.py b/Tests/test_file_psd.py
@@ -87,3 +87,12 @@ def test_no_icc_profile(self):
         im = Image.open("Tests/images/hopper_merged.psd")
 
         self.assertNotIn("icc_profile", im.info)
+
+    def test_combined_larger_than_size(self):
+        # The 'combined' sizes of the individual parts is larger than the
+        # declared 'size' of the extra data field, resulting in a backwards seek.
+
+        # If we instead take the 'size' of the extra data field as the source of truth,
+        # then the seek can't be negative
+        with self.assertRaises(IOError):
+            Image.open("Tests/images/combined_larger_than_size.psd")
diff --git a/Tests/test_imagefile.py b/Tests/test_imagefile.py
@@ -103,6 +103,14 @@ def test_raise_typeerror(self):
             parser = ImageFile.Parser()
             parser.feed(1)
 
+    def test_negative_stride(self):
+        with open("Tests/images/raw_negative_stride.bin", "rb") as f:
+            input = f.read()
+        p = ImageFile.Parser()
+        p.feed(input)
+        with self.assertRaises(IOError):
+            p.close()
+
     def test_truncated_with_errors(self):
         if "zip_encoder" not in codecs:
             self.skipTest("PNG (zlib) encoder not available")
diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py
@@ -224,9 +224,11 @@ def _layerinfo(file):
         # skip over blend flags and extra information
         read(12)  # filler
         name = ""
-        size = i32(read(4))
+        size = i32(read(4))  # length of the extra data field
         combined = 0
         if size:
+            data_end = file.tell() + size
+
             length = i32(read(4))
             if length:
                 file.seek(length - 16, io.SEEK_CUR)
@@ -244,7 +246,7 @@ def _layerinfo(file):
                 name = read(length).decode("latin-1", "replace")
             combined += length + 1
 
-        file.seek(size - combined, io.SEEK_CUR)
+            file.seek(data_end)
         layers.append((name, mode, (x0, y0, x1, y1)))
 
     # get tiles
diff --git a/src/libImaging/RawDecode.c b/src/libImaging/RawDecode.c
@@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
 
 	/* get size of image data and padding */
 	state->bytes = (state->xsize * state->bits + 7) / 8;
-	rawstate->skip = (rawstate->stride) ?
-	    rawstate->stride - state->bytes : 0;
+	if (rawstate->stride) {
+	    rawstate->skip = rawstate->stride - state->bytes;
+	    if (rawstate->skip < 0) {
+	        state->errcode = IMAGING_CODEC_CONFIG;
+	        return -1;
+	    }
+	} else {
+	    rawstate->skip = 0;
+	}
 
 	/* check image orientation */
 	if (state->ystep < 0) {
