Skip to content

Commit bb6c11f

Browse files
wiredfoolhugovk
wiredfool
authored and
hugovk
committed
Fix FLI DOS -- CVE-2021-28676
* FliDecode did not properly check that the block advance was non-zero, potentally leading to an infinite loop on load. * This dates to the PIL Fork * Found with oss-fuzz
1 parent 5a5e6db commit bb6c11f

4 files changed

+20
-0
lines changed

Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli

200 Bytes
Binary file not shown.

Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli

159 Bytes
Binary file not shown.

Tests/test_file_fli.py

+15
Original file line numberDiff line numberDiff line change
@@ -123,3 +123,18 @@ def test_seek():
123123
im.seek(50)
124124

125125
assert_image_equal_tofile(im, "Tests/images/a_fli.png")
126+
127+
128+
@pytest.mark.parametrize(
129+
"test_file",
130+
[
131+
"Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli",
132+
"Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli",
133+
],
134+
)
135+
@pytest.mark.timeout(timeout=3)
136+
def test_timeouts(test_file):
137+
with open(test_file, "rb") as f:
138+
with Image.open(f) as im:
139+
with pytest.raises(OSError):
140+
im.load()

src/libImaging/FliDecode.c

+5
Original file line numberDiff line numberDiff line change
@@ -243,6 +243,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt
243243
return -1;
244244
}
245245
advance = I32(ptr);
246+
if (advance == 0 ) {
247+
// If there's no advance, we're in in infinite loop
248+
state->errcode = IMAGING_CODEC_BROKEN;
249+
return -1;
250+
}
246251
if (advance < 0 || advance > bytes) {
247252
state->errcode = IMAGING_CODEC_OVERRUN;
248253
return -1;

0 commit comments

Comments
 (0)