Package: pillow / 8.1.2+dfsg-0.3

CVE-2021-28678.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
From 496245aa4365d0827390bd0b6fbd11287453b3a1 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Sun, 7 Mar 2021 19:00:17 +0100
Subject: [PATCH] Fix BLP DOS -- CVE-2021-28678

* BlpImagePlugin did not properly check that reads after jumping to
  file offsets returned data. This could lead to a DOS where the
  decoder could be run a large number of times on empty data
* This dates to Pillow 5.1.0

diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
index 88aae80eb96..e07474621d9 100644
--- a/src/PIL/BlpImagePlugin.py
+++ b/src/PIL/BlpImagePlugin.py
@@ -286,33 +286,36 @@ def decode(self, buffer):
             raise OSError("Truncated Blp file") from e
         return 0, 0
 
+    def _safe_read(self, length):
+        return ImageFile._safe_read(self.fd, length)
+
     def _read_palette(self):
         ret = []
         for i in range(256):
             try:
-                b, g, r, a = struct.unpack("<4B", self.fd.read(4))
+                b, g, r, a = struct.unpack("<4B", self._safe_read(4))
             except struct.error:
                 break
             ret.append((b, g, r, a))
         return ret
 
     def _read_blp_header(self):
-        (self._blp_compression,) = struct.unpack("<i", self.fd.read(4))
+        (self._blp_compression,) = struct.unpack("<i", self._safe_read(4))
 
-        (self._blp_encoding,) = struct.unpack("<b", self.fd.read(1))
-        (self._blp_alpha_depth,) = struct.unpack("<b", self.fd.read(1))
-        (self._blp_alpha_encoding,) = struct.unpack("<b", self.fd.read(1))
-        (self._blp_mips,) = struct.unpack("<b", self.fd.read(1))
+        (self._blp_encoding,) = struct.unpack("<b", self._safe_read(1))
+        (self._blp_alpha_depth,) = struct.unpack("<b", self._safe_read(1))
+        (self._blp_alpha_encoding,) = struct.unpack("<b", self._safe_read(1))
+        (self._blp_mips,) = struct.unpack("<b", self._safe_read(1))
 
-        self.size = struct.unpack("<II", self.fd.read(8))
+        self.size = struct.unpack("<II", self._safe_read(8))
 
         if self.magic == b"BLP1":
             # Only present for BLP1
-            (self._blp_encoding,) = struct.unpack("<i", self.fd.read(4))
-            (self._blp_subtype,) = struct.unpack("<i", self.fd.read(4))
+            (self._blp_encoding,) = struct.unpack("<i", self._safe_read(4))
+            (self._blp_subtype,) = struct.unpack("<i", self._safe_read(4))
 
-        self._blp_offsets = struct.unpack("<16I", self.fd.read(16 * 4))
-        self._blp_lengths = struct.unpack("<16I", self.fd.read(16 * 4))
+        self._blp_offsets = struct.unpack("<16I", self._safe_read(16 * 4))
+        self._blp_lengths = struct.unpack("<16I", self._safe_read(16 * 4))
 
 
 class BLP1Decoder(_BLPBaseDecoder):
@@ -324,7 +327,7 @@ def _load(self):
             if self._blp_encoding in (4, 5):
                 data = bytearray()
                 palette = self._read_palette()
-                _data = BytesIO(self.fd.read(self._blp_lengths[0]))
+                _data = BytesIO(self._safe_read(self._blp_lengths[0]))
                 while True:
                     try:
                         (offset,) = struct.unpack("<B", _data.read(1))
@@ -346,10 +349,10 @@ def _load(self):
     def _decode_jpeg_stream(self):
         from PIL.JpegImagePlugin import JpegImageFile
 
-        (jpeg_header_size,) = struct.unpack("<I", self.fd.read(4))
-        jpeg_header = self.fd.read(jpeg_header_size)
-        self.fd.read(self._blp_offsets[0] - self.fd.tell())  # What IS this?
-        data = self.fd.read(self._blp_lengths[0])
+        (jpeg_header_size,) = struct.unpack("<I", self._safe_read(4))
+        jpeg_header = self._safe_read(jpeg_header_size)
+        self._safe_read(self._blp_offsets[0] - self.fd.tell())  # What IS this?
+        data = self._safe_read(self._blp_lengths[0])
         data = jpeg_header + data
         data = BytesIO(data)
         image = JpegImageFile(data)
@@ -370,7 +373,7 @@ def _load(self):
             # Uncompressed or DirectX compression
 
             if self._blp_encoding == BLP_ENCODING_UNCOMPRESSED:
-                _data = BytesIO(self.fd.read(self._blp_lengths[0]))
+                _data = BytesIO(self._safe_read(self._blp_lengths[0]))
                 while True:
                     try:
                         (offset,) = struct.unpack("<B", _data.read(1))
@@ -384,20 +387,20 @@ def _load(self):
                     linesize = (self.size[0] + 3) // 4 * 8
                     for yb in range((self.size[1] + 3) // 4):
                         for d in decode_dxt1(
-                            self.fd.read(linesize), alpha=bool(self._blp_alpha_depth)
+                            self._safe_read(linesize), alpha=bool(self._blp_alpha_depth)
                         ):
                             data += d
 
                 elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT3:
                     linesize = (self.size[0] + 3) // 4 * 16
                     for yb in range((self.size[1] + 3) // 4):
-                        for d in decode_dxt3(self.fd.read(linesize)):
+                        for d in decode_dxt3(self._safe_read(linesize)):
                             data += d
 
                 elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT5:
                     linesize = (self.size[0] + 3) // 4 * 16
                     for yb in range((self.size[1] + 3) // 4):
-                        for d in decode_dxt5(self.fd.read(linesize)):
+                        for d in decode_dxt5(self._safe_read(linesize)):
                             data += d
                 else:
                     raise BLPFormatError(