From eed2bfc5b49782f33c5c73080b1d15abcc1e0c38 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sun, 29 Sep 2019 14:14:38 +1000
Subject: [PATCH] Added decompression bomb checks

---
 Tests/images/decompression_bomb.gif | Bin 0 -> 44 bytes
 Tests/images/decompression_bomb.ico | Bin 0 -> 58 bytes
 Tests/test_decompression_bomb.py    |   9 +++++++++
 src/PIL/GifImagePlugin.py           |   1 +
 src/PIL/IcoImagePlugin.py           |   1 +
 5 files changed, 11 insertions(+)
 create mode 100644 Tests/images/decompression_bomb.gif
 create mode 100644 Tests/images/decompression_bomb.ico

diff --git a/Tests/images/decompression_bomb.gif b/Tests/images/decompression_bomb.gif
new file mode 100644
index 0000000000000000000000000000000000000000..3ca21b60a972e7614b7a785b2f65476e60584fdc
GIT binary patch
literal 44
rcmZ?wbhEHbRA5kG_{huv1pk5PKM?&_{K;|>B%lKl{QqB*m7yO1FUt<3

literal 0
HcmV?d00001

diff --git a/Tests/images/decompression_bomb.ico b/Tests/images/decompression_bomb.ico
new file mode 100644
index 0000000000000000000000000000000000000000..0efc9eaf74bc15bd5fd4babe445ff49035cd140e
GIT binary patch
literal 58
vcmZQzU<5)1CIKL+!SI5KfkBLc0mxzi@);Pc7#Qjq83ceV28N$NIb;9;XITSG

literal 0
HcmV?d00001

diff --git a/Tests/test_decompression_bomb.py b/Tests/test_decompression_bomb.py
index b3a36fe7870..7c18f85d245 100644
--- a/Tests/test_decompression_bomb.py
+++ b/Tests/test_decompression_bomb.py
@@ -14,6 +14,7 @@ def tearDown(self):
     def test_no_warning_small_file(self):
         # Implicit assert: no warning.
         # A warning would cause a failure.
+        Image.MAX_IMAGE_PIXELS = ORIGINAL_LIMIT
         Image.open(TEST_FILE)
 
     def test_no_warning_no_limit(self):
@@ -41,6 +42,14 @@ def test_exception(self):
 
         self.assertRaises(Image.DecompressionBombError, lambda: Image.open(TEST_FILE))
 
+    def test_exception_ico(self):
+        with self.assertRaises(Image.DecompressionBombError):
+            Image.open("Tests/images/decompression_bomb.ico")
+
+    def test_exception_gif(self):
+        with self.assertRaises(Image.DecompressionBombError):
+            Image.open("Tests/images/decompression_bomb.gif")
+
 
 class TestDecompressionCrop(PillowTestCase):
     def setUp(self):
diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py
index 07f5ab6832d..9d8e96feeeb 100644
--- a/src/PIL/GifImagePlugin.py
+++ b/src/PIL/GifImagePlugin.py
@@ -265,6 +265,7 @@ def _seek(self, frame):
                 self.dispose = None
             elif self.disposal_method == 2:
                 # replace with background colour
+                Image._decompression_bomb_check(self.size)
                 self.dispose = Image.core.fill("P", self.size, self.info["background"])
             else:
                 # replace with previous contents
diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
index fc728d6fbd5..148e604f895 100644
--- a/src/PIL/IcoImagePlugin.py
+++ b/src/PIL/IcoImagePlugin.py
@@ -180,6 +180,7 @@ def frame(self, idx):
         else:
             # XOR + AND mask bmp frame
             im = BmpImagePlugin.DibImageFile(self.buf)
+            Image._decompression_bomb_check(im.size)
 
             # change tile dimension to only encompass XOR image
             im._size = (im.size[0], int(im.size[1] / 2))