Fix for buffer overflow in TiffDecode.c CVE-2016-0740

wiredfool · wiredfool · commit 6dcbf5bd96b7 · 2016-02-04T04:21:51.000-08:00
diff --git a/Tests/check_libtiff_segfault.py b/Tests/check_libtiff_segfault.py
@@ -0,0 +1,23 @@
+from helper import unittest, PillowTestCase
+from PIL import Image
+
+TEST_FILE = "Tests/images/libtiff_segfault.tif"
+
+class TestLibtiffSegfault(PillowTestCase):
+    def test_segfault(self):
+        """ This test should not segfault. It will on Pillow <= 3.1.0 and
+            libtiff >= 4.0.0
+            """
+
+        try:
+            im = Image.open(TEST_FILE)
+            im.load()
+        except IOError:
+            self.assertTrue(True, "Got expected IOError")
+        except Exception:
+            self.fail("Should have returned IOError")
+
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/Tests/images/libtiff_segfault.tif b/Tests/images/libtiff_segfault.tif
diff --git a/libImaging/TiffDecode.c b/libImaging/TiffDecode.c
@@ -169,7 +169,7 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int
 	char *filename = "tempfile.tif";
 	char *mode = "r";
 	TIFF *tiff;
-	int size;
+	tsize_t size;
 
 
 	/* buffer is the encoded file, bytes is the length of the encoded file */
