From 886fcbe3d6b71c890e115318ec1829d630aae5ed Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Wed, 4 May 2022 21:25:40 +1000
Subject: [PATCH] Do not open images with zero or negative height

---
 Tests/images/zero_height.j2k | Bin 0 -> 3886 bytes
 Tests/test_imagefile.py      |  14 +++++++++++++-
 src/PIL/ImageFile.py         |   2 +-
 3 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 Tests/images/zero_height.j2k

diff --git a/Tests/images/zero_height.j2k b/Tests/images/zero_height.j2k
new file mode 100644
index 0000000000000000000000000000000000000000..21bdd8f7667842621074f53e9c5eb6d9128fc460
GIT binary patch
literal 3886
zcmV+}57F@dPybN>DF6Tf002M$002M$00000002M$002M$002M$00000000000S^HI
z|55-90000100jgD00IA8024rfh=`Dgh>(bgkcfzoh=`E?WB?@q0Yh?SVRU6=AYyqS
zPjF>!N>D{dAa-SPb7^mGATlm6E-?R)015yA000iP00IA#&-^GL2!eVy;#fdGzys+E
z01u=r03S#|4l;{9uLsQxrJoQy_`|>h=^X$Mq<jEA!2lWFn1HZ6T^cnn*5`>|6fL4Y
z_?hYHHB+s)I`GjNhH%}k`qLl@|7B(lV8$=N2iR)>A7RV@KEt3#hu`C4V&TdK18uF9
z(d-MFdc{vNj<9B$$}zN1!zDjVfH#?!L6Qk)gd05o?a2zrN;7YtLhT8nTx>?l-jo^x
zo(`~QndSf{1$dXB$~9L%!nbA5Jct1r3jb$yADnLO05Xz;zEUGPiyGNQt3=Sb5~1T=
zzUF}wE7Q}?b8pf-3aqJuA+uPICxoz2RKa71l6sz&V0PxK;Njz~G>0@Rs=O=*lEP2G
z2ia~w55DDq2ibUlqSk+m1dPG!Y&6OzWi#35Q)*|ygwA68jBd<iiK(AK9(^NazoPw6
z3$V^%&ng=26KQLUrzrX`DUSso_QHT=MKNFXQssOFe^h$pC_vw8AfepD^N1RQ25iY%
zj$T__t7yKA4g!XY?mMso!SAV|7wW9{>54ysCK`?+1WLKhD*Xq49=T1FwatpUH9Q!d
zzktA1+K0oUeO^2*I2v_D%B>+D;BN#By&Gu8J2n@GfC_9E2pZN*VUi@*G#thOX#t#b
z#3_x9;eNrWyJYOP0I+$waO(=%z+jbsp1_Oa>sC-SrFoL}(adZ@IY>igj{jx@hIc}&
z#YVSccfAd7>FZ?5>0ZUT?xV7oricoxw{X8@C&(|RV`uF3)e*3n&3?yquW?JgZg&OG
zEl+FSunjB42_1;8%L2Qwa>-{+($T_mud7-b6f2pU9S}~>vbIgY9z^~b$}m}#0mG;u
z4JFaIXPM)o%);`>%o=8)a4w(IPs%Re5<>O9XZ?nojtGcw3{2;(OE6Fc{JppMTrlM~
z0!#J@O*i;x^|{-XJRrFkffj_Gw^^t7YIe9Frj~A^{7!YYF$D%>!X~k;R~j}bVvVh^
zDdBa?uLS8(`R1%Ty%&WugcxsV<sHY{xz*t5pG8gxDO<FHY3L}F`W+t@>shOtH_);)
z-J1zue9b9YZ2Q*{LPH%ya3oA*>yXnzU|mm3-<pZ+;vVUSR}lA2K}YrD3^n<`6?SEh
zgv^H~X1rUANX9_qTXK7j|6~Lt2ANByBw0NMwFyR*FzWr}<iY_MK;qj5Cz6<i_0ev$
zX)CZ2q@><xVc+ulq-`I#BlM}Ixs=CJIQOR&XfycQ5!lJ!+uSD*@I_E9fKsIh96U&U
zhfS<)hmKlRB#KEjpUjt|(3(;Dw~9)s&nCbJ+1u0reVxld1MKeHS_^kgb}#Q8a^E7U
zv2hX_xO#;%ZbXJRLA0&-Gp<*I)>w1(Hjgc&34#uTi9z$Ft9_h`tc(PB-#5+r^OI=!
zM95egr8YrS1ZLTTnrLV?CF9^kYmp7>Va`NNR&=<EeMqt?jB$QiG9YT>__<7%*Q&|t
zS6H$rkR_xE$L0vdc&>YOjH&Z!`Fe*$5F}x?O`lp`4z+xpmzsIyhaWN17qDZl*rg`1
z1Y}24|0hGz;(5dS{T!x8+D*~7YDJyavcow}pB#2S&D6=P+~-)@PoZ^-M4#gBNkqm>
zI`w>bL5MJYx{IYp+UF^-m8X-Q4B#ucG&Q3TN{0n<f9pnsS!?sw%H08~Wl}R6honcT
zD=yAHrtmT=XWc<2Of18Z3^E1He>>%haL9;#Zw9%PFDsK`Qvq`8S2SKJ)tOewcqVfl
zdVw@Awn<nYNKFi@>KVjwcDSvXk)o4Yc?Zz8GopOl`V(Ls^zE0l=W%kv3576kXGv)c
z9X9-j(jF`Mv1CjWw$FA~KdxLMPpb$m=<p<jm`wnhBhJug>nUE^i{N(1z=1IO+6fl4
zz)|!~*s{#IzX0e9Xf94+Emk72+aR(EW>!0YKm{0v-x;QEY&)W}31L9xH9qOlElBV(
z_0;|bk7~g%SlSPQ#h<XT*ob8E)ewt?j5!|F{7%9z<w5fBrK^awlB8*0b0Z@}Xf1%n
z(`7B&I@71)A<c73X?gZ9O-~eD?W2}m{~XBUgR*_0LmWx;Wow4>QnRf2SyRW);Aw=v
z3eJ|qzt=zxgG`l#Y0(giqTh7du7?V~#8QnjN(_V9_c!bOHxy){Z|NvPG|e2`_%ro(
zMiGL4=7l>>N&sc)<T1PKikL5vK+#oC=vFvWY*3Jb-#YE&{i4P=xI#SxM=Un!tWPZs
z&fMjNSX{z$5XsSCC?$cpy<8!q+Ng{EOJf06^%&&vYk_#7@p13rYA^t`HS9|~Uu4|A
zjs>plOU|W9%m;dq{Fuv(2<AKj8Q=dgLX*$U<)puSRhI@tPVb2lRV#$i-2sFdz5gkk
zg$p|aiq&JBGFuq+4of-`_4qi4&rbGotLDsT>rIq&I&qZ2)^`0;csbi~zL98YR)x}x
z25+gNOQ7WNwg^sg!SiDR#%dT?L?4_&2JA@oB~S0WD7lNSZxr1~VY)}-SG_$(>VlZS
zE9@vqRLQaZV=1c-ZhK>Fy?jA^FVk5HeTqEN6+`_}aq6%V`dDK+8zK@A`Ry>+tV1i%
zkx3LyjSy=V0(R7#z(0dYYW10T^LiaxZ%)mKm^f;&ax5{0MJB%w;&=-~j``0Hc}1V{
z*PhNl6bv&Y<o%=As6@<tju+m?DVyk<t65Dt8RSH@bc%&p6{q3XO+z`j30HXvxQ_sA
z#L60-%}QNl;%^7Z^TRFl*RNF3QW?YPW5ydu2AhH9&5VX+<PfDB-_44IS8k;>8YB%%
zTu7s#t8f#0WpwdzD{fvIzUwY(Uu5x_==rXQ%ljkjsH<xDI5M!&h?h%8k09_{!QELk
zDxTFX*CdTw-baV*m|Xu)VH3<krjl}5H<2HP_}lj2f3b4W%l~2!tubF@B{%cX){It_
zl1j_g@LeI<&@l$Vegces=yko3JMRNzwIbBFL;7UyWHJqh;U**D1H7tpX_+cj;5|9p
z@I#wvin|zANbhO>)Hv@81IHV@6o$WS#Fx}Q=^EDS&ZDGOg=Oxf`9Kh-AdVKOt#<On
z%<JQ~6<0Ayh@9_lqM!eO-;rH{jN-Z>I99m>Qkr%Fl0qqG>!-|T{qFsmOKma(bnm@0
zs>HC2-MI;6DVjUG$P7MdCA1)`D|$R4JKmh_LDd8<SiQ>GUrQLI7P%u$<HabJi+JJP
zk()PQrVgw_K!5)`5?ElprYcpCt+}dhpJ4XFwVpjr<#yS*$$3M~b3E(6VBTBxC?D5^
zQgc|;GggnTjZ%N0GiM*3?^muYQfk2JfCJc<9Z4!5=$fgQ_fb>Hs-G+7u!WR;!}Gmi
z@>oE8rFW#av0rY0#9lOsd%X0M-dU)(cIBZb?3vDp4XZ#8S$JU^YfqY%`Cs#?^fy@t
z&7ceN-z-}(j&#Gp6hX!kdsZKV=vhQwnb(b!HNQ_jfK)~6{p-+~GuA+^nVbC=Hu$rB
zpw^<@^6|)?2IvU4;S-&LJ4?q$D3YJp(t}}BtIkA9JDu$dHUrsq)>e6d%O3hcDkK)7
zeY^wh1?Z<a3FVFjkCwH!b!BKj57Ul<Y<+>n5gnfhh!#2}GDpE82$L#s0bYZg9qb=9
zoHqx`<R##}cgX*GgC<@om$5XyHl_hr)?Tqqejr7h6A417w+p|eS6&AW!Zu;vD}o41
zM~HEAWWs`gxYi3#>HI@(rA`kAHLEz*dL`TkF~uiY$P#9;kBK)1!t#LqwDl^u5{WQ?
zY>ekVp5S>y((<P78!eR<Vtqm-IO;U}ifPc0r4+sVd71-IU*Ga;XcnZASzXeGh@Zys
zJNyW=3C2B|1gSpaBZC)=h<Z&zI4aa7@*1vkCEB{kvbtRtA&kYZ+))n%EJR&j|7uBs
z2)Ru`SgE97lRZG<!3>nmNQnFAjUnjA0wyj$H``b!#p-84?DJP&7em>gAkC^Tx`)LD
zQ*se~7A4GEl0}mjIlQlOYfmpz3IiK|Z9N5C;0qR>gPp~)bLMp{Qiw{T$vu>lB;q&g
zaO|eZj(_tlWJ%Rx$-_CVk-pWSaxl0f5#;2@AoMFuZ`OWK92i|rC#1S=k2ZL`ZdIym
z>`6Y^%QTVnf)?19ay`myg$y*Cpt2UPsw}d_duathy&B1gLmH3Q`IqB%dL|(F-?@M{
z3@8fH#pv$r2kA)z2?%Rfj(zuEowCN}DJ*9eE86CO$$xjkD%2XR@0dz0s!nw8ov2Qo
z73uiy0qVCWi`n!5twnxX$5ZY+hf<0jj73LFv%{(0u*V##M_%_VI&_%HsW#R1<MX~V
zl}Y+6jf<suj84%A@<?k{8hgyo(_A~^Y&N*4z{|kiO#n$;XEGt1&v^TxeIXx3G)7Q?
zdbfS6@yU{dH56&%R0nHV0Xni}X3K)XCErA&jhCcf<>FlnCT}i3d&*9lJzqMu#gt&A
z)^jrCipO2W{9yJ*=Of_<T`B|FS40I#0-aMkP;JwY8@o;?%#nRjMPSZ(N|uvL&g-*Z
z2LvSG-`BXJIMac%)7jlZe&mE^v=U*;R4?eD)K!1?Y&UyJ(k4hiJb#e+=L>}9iK^t|
zVFM!$r(+@ti0&<3!zrh>%+8;yAFkH2pRd601PMhWW2q4u&Rj<ZE45U4UtbeNz~xPN
z0xhtOwb5&vUYZ&$Cr(5~i3uBEYyUF&o&~+B_O*+A#+}TpTi|QmBk2)8K)B8?%%HNf
zKXO)O=EPFYvA)b$@44mirEg~w6yX^Rc2l{*O5*YODnaTEqgL+~npx`Uo91%)X##m)
z{$_v4S!W~VwL5<fw-o+MoIjUbL(d|tJxF<P8Ra7e#JPv7<_D)#H>s=F-*%SX*W3sj
zQsmE@+6&m8iKrop4=zFmY^#3`RS*|^?N}(WYj7eU7?s-AnPN`RTd~zkOe^nuHY9;{
wPDcwS(s{EPCAJ{f#}b^oPT0b|?CjRuDmg`9He^Cv`gDOO^8O3fGe3X-*_k_7r~m)}

literal 0
HcmV?d00001

diff --git a/Tests/test_imagefile.py b/Tests/test_imagefile.py
index 0b3aecd0849..fc0fbfb9bbc 100644
--- a/Tests/test_imagefile.py
+++ b/Tests/test_imagefile.py
@@ -2,7 +2,15 @@
 
 import pytest
 
-from PIL import BmpImagePlugin, EpsImagePlugin, Image, ImageFile, _binary, features
+from PIL import (
+    BmpImagePlugin,
+    EpsImagePlugin,
+    Image,
+    ImageFile,
+    UnidentifiedImageError,
+    _binary,
+    features,
+)
 
 from .helper import (
     assert_image,
@@ -377,3 +385,7 @@ def test_encode(self):
 
         with pytest.raises(NotImplementedError):
             encoder.encode_to_file(None, None)
+
+    def test_zero_height(self):
+        with pytest.raises(UnidentifiedImageError):
+            Image.open("Tests/images/zero_height.j2k")
diff --git a/src/PIL/ImageFile.py b/src/PIL/ImageFile.py
index 5e1dbbf683e..99b77a37f5f 100644
--- a/src/PIL/ImageFile.py
+++ b/src/PIL/ImageFile.py
@@ -123,7 +123,7 @@ def __init__(self, fp=None, filename=None):
             ) as v:
                 raise SyntaxError(v) from v
 
-            if not self.mode or self.size[0] <= 0:
+            if not self.mode or self.size[0] <= 0 or self.size[1] <= 0:
                 raise SyntaxError("not identified by this driver")
         except BaseException:
             # close the file only if we have opened it this constructor