Merge pull request #18 from ActiveState/BE-139-cve-2021-28676

BE-139-cve-2021-28676

CHANGES.rst

@@ -27,6 +27,10 @@ Changelog (Pillow)
   combination of \r and \n as line endings.
   [rickprice]
 
+- Fix CVE-2021-28676: FliDecode did not properly check that the block advance
+  was non-zero, potentally leading to an infinite loop on load.
+  [rickprice]
+
 6.2.2.4 (2023-03-29)
 ------------------
 

Tests/test_file_fli.py

@@ -46,7 +46,8 @@ def test_tell(self):
     def test_invalid_file(self):
         invalid_file = "Tests/images/flower.jpg"
 
-        self.assertRaises(SyntaxError, FliImagePlugin.FliImageFile, invalid_file)
+        self.assertRaises(
+            SyntaxError, FliImagePlugin.FliImageFile, invalid_file)
 
     def test_n_frames(self):
         im = Image.open(static_test_file)
@@ -96,3 +97,13 @@ def test_seek(self):
 
         expected = Image.open("Tests/images/a_fli.png")
         self.assert_image_equal(im, expected)
+
+    def test_timeouts(self):
+        for test_file in [
+            "Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli",
+            "Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli",
+        ]:
+            with open(test_file, "rb") as f:
+                with Image.open(f) as im:
+                    with self.assertRaises(OSError):
+                        im.load()

docs/releasenotes/6.2.2.5.rst

@@ -25,6 +25,9 @@ This release addresses several critical CVEs.
 
 :cve:`CVE-2020-10994`: In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
 
+:cve:`CVE-2021-28676``: FliDecode did not properly check that the block advance was non-zero,
+ potentally leading to an infinite loop on load.
+
 :cve:`CVE-2021-28677`: An issue was discovered in Pillow before 8.2.0. For EPS
                        data, the readline implementation used in EPSImageFile
                        has to deal with any combination of \r and \n as line