1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
|
From: Markus Koschany <apo@debian.org>
Date: Sun, 21 Feb 2016 15:56:11 +0100
Subject: CVE-2016-0775
Fix buffer overflow in FliDecode.c.
Origin: https://github.com/python-pillow/Pillow/commit/bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec
Debian-Bug: https://bugs.debian.org/813909
---
Tests/check_fli_overflow.py | 16 ++++++++++++++++
libImaging/FliDecode.c | 2 +-
2 files changed, 17 insertions(+), 1 deletion(-)
create mode 100644 Tests/check_fli_overflow.py
diff --git a/Tests/check_fli_overflow.py b/Tests/check_fli_overflow.py
new file mode 100644
index 0000000..d89a827
--- /dev/null
+++ b/Tests/check_fli_overflow.py
@@ -0,0 +1,16 @@
+from helper import unittest, PillowTestCase
+from PIL import Image
+
+TEST_FILE = "Tests/images/fli_overflow.fli"
+
+
+class TestFliOverflow(PillowTestCase):
+ def test_fli_overflow(self):
+
+ # this should not crash with a malloc error or access violation
+ im = Image.open(TEST_FILE)
+ im.load()
+
+
+if __name__ == '__main__':
+ unittest.main()
diff --git a/libImaging/FliDecode.c b/libImaging/FliDecode.c
index 75eebe8..6d22c6c 100644
--- a/libImaging/FliDecode.c
+++ b/libImaging/FliDecode.c
@@ -185,7 +185,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
/* COPY chunk */
for (y = 0; y < state->ysize; y++) {
UINT8* buf = (UINT8*) im->image[y];
- memcpy(buf+x, data, state->xsize);
+ memcpy(buf, data, state->xsize);
data += state->xsize;
}
break;
|