Fix for SGI Decode buffer overrun CVE-2020-35655

* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz.
python-pillow · Jan 2, 2021 · 7e95c63 · 7e95c63
1 parent e6ef8a6
commit 7e95c63
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 8 deletions.
diff --git a/Tests/images/crash-6b7f2244da6d0ae297ee0754a424213444e92778.sgi b/Tests/images/crash-6b7f2244da6d0ae297ee0754a424213444e92778.sgi
diff --git a/Tests/images/ossfuzz-5730089102868480.sgi b/Tests/images/ossfuzz-5730089102868480.sgi
diff --git a/Tests/test_sgi_crash.py b/Tests/test_sgi_crash.py
@@ -6,7 +6,13 @@
 
 @pytest.mark.parametrize(
     "test_file",
-    ["Tests/images/sgi_overrun_expandrowF04.bin", "Tests/images/sgi_crash.bin"],
+    [
+        "Tests/images/sgi_overrun_expandrowF04.bin",
+        "Tests/images/sgi_crash.bin",
+        "Tests/images/crash-6b7f2244da6d0ae297ee0754a424213444e92778.sgi",
+        "Tests/images/ossfuzz-5730089102868480.sgi",
+
+    ],
 )
 def test_crashes(test_file):
     with open(test_file, "rb") as f:

diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
@@ -112,11 +112,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
     int err = 0;
     int status;
 
+    /* size check */
+    if (im->xsize > INT_MAX / im->bands ||
+        im->ysize > INT_MAX / im->bands) {
+        return IMAGING_CODEC_MEMORY;
+    }
+
     /* Get all data from File descriptor */
     c = (SGISTATE*)state->context;
     _imaging_seek_pyFd(state->fd, 0L, SEEK_END);
     c->bufsize = _imaging_tell_pyFd(state->fd);
     c->bufsize -= SGI_HEADER_SIZE;
+
+    c->tablen = im->bands * im->ysize;
+    /* below, we populate the starttab and lentab into the bufsize,
+       each with 4 bytes per element of tablen
+       Check here before we allocate any memory
+    */
+    if (c->bufsize < 8*c->tablen) {
+        return IMAGING_CODEC_MEMORY;
+    }
+
     ptr = malloc(sizeof(UINT8) * c->bufsize);
     if (!ptr) {
         return IMAGING_CODEC_MEMORY;
@@ -134,18 +150,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
         state->ystep = 1;
     }
 
-    if (im->xsize > INT_MAX / im->bands ||
-        im->ysize > INT_MAX / im->bands) {
-        err = IMAGING_CODEC_MEMORY;
-        goto sgi_finish_decode;
-    }
-
     /* Allocate memory for RLE tables and rows */
     free(state->buffer);
     state->buffer = NULL;
     /* malloc overflow check above */
     state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
-    c->tablen = im->bands * im->ysize;
     c->starttab = calloc(c->tablen, sizeof(UINT32));
     c->lengthtab = calloc(c->tablen, sizeof(UINT32));
     if (!state->buffer ||