Skip to content

Commit cbfdde7

Browse files
wiredfoolradarhere
wiredfool
authored and
radarhere
committed
Incorrect error code checking in TiffDecode.c
* since Pillow 8.1.0 * CVE-2021-25289
1 parent 2ba5eb1 commit cbfdde7

4 files changed

+3
-1
lines changed

Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif

4.46 KB
Binary file not shown.

Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif

4.12 KB
Binary file not shown.

Tests/test_tiff_crashes.py

+2
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,8 @@
2424
"Tests/images/crash_1.tif",
2525
"Tests/images/crash_2.tif",
2626
"Tests/images/crash-2020-10-test.tif",
27+
"Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif",
28+
"Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif",
2729
],
2830
)
2931
@pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")

src/libImaging/TiffDecode.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -250,7 +250,7 @@ int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) {
250250
img.row_offset = state->y;
251251
rows_to_read = min(rows_per_strip, img.height - state->y);
252252

253-
if (TIFFRGBAImageGet(&img, (UINT32 *)state->buffer, img.width, rows_to_read) == -1) {
253+
if (!TIFFRGBAImageGet(&img, (UINT32 *)state->buffer, img.width, rows_to_read)) {
254254
TRACE(("Decode Error, y: %d\n", state->y ));
255255
state->errcode = IMAGING_CODEC_BROKEN;
256256
goto decodeycbcr_err;

0 commit comments

Comments
 (0)