Merge pull request #4506 from hugovk/fix_pcx

Fix bounds overflow in PCX decoding
python-pillow · Apr 1, 2020 · f260acc · f260acc
2 parents 9650ac4 + ada137e
commit f260acc
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 4 deletions.
diff --git a/Tests/images/01r_00.pcx b/Tests/images/01r_00.pcx
diff --git a/Tests/test_image.py b/Tests/test_image.py
@@ -638,13 +638,17 @@ def test_pillow_version(self, test_module):
             assert test_module.PILLOW_VERSION > "7.0.0"
 
     def test_overrun(self):
+        """ For overrun completeness, test as:
+        valgrind pytest -qq Tests/test_image.py::TestImage::test_overrun | grep decode.c
+        """
         for file in [
             "fli_overrun.bin",
             "sgi_overrun.bin",
             "sgi_overrun_expandrow.bin",
             "sgi_overrun_expandrow2.bin",
             "pcx_overrun.bin",
             "pcx_overrun2.bin",
+            "01r_00.pcx",
         ]:
             with Image.open(os.path.join("Tests/images", file)) as im:
                 try:

diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
@@ -22,10 +22,7 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt
     UINT8 n;
     UINT8* ptr;
 
-    if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
-        state->errcode = IMAGING_CODEC_OVERRUN;
-        return -1;
-    } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
+    if ((state->xsize * state->bits + 7) / 8 > state->bytes) {
         state->errcode = IMAGING_CODEC_OVERRUN;
         return -1;
     }