From cbfdde7b1f2295059a20a539ee9960f0bec7b299 Mon Sep 17 00:00:00 2001 From: Eric Soroos Date: Sun, 3 Jan 2021 21:35:32 +0100 Subject: [PATCH] Incorrect error code checking in TiffDecode.c * since Pillow 8.1.0 * CVE-2021-25289 --- ...-0e16d3bfb83be87356d026d66919deaefca44dac.tif | Bin 0 -> 4567 bytes ...-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif | Bin 0 -> 4221 bytes Tests/test_tiff_crashes.py | 2 ++ src/libImaging/TiffDecode.c | 2 +- 4 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif create mode 100644 Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif diff --git a/Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif b/Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif new file mode 100644 index 0000000000000000000000000000000000000000..f59aab21afe39d2926aad3eeb896b7d147d510f5 GIT binary patch literal 4567 zcmdUxdmz-=+rW>zTD#UIm(rTmP{e461}(o*ZWW=DY{Zz{XU5DhicCpHHVJ7`Aqf>F zxkY873#~#*iY}&9#D-iNV`jeZ`C`lad*9vd{r&fz;hfKT&hwn-a?TkX9Swjy0N_Ue zB&2`@BtzIq%rFnmB_T_}u^IkK&B)~-%g(SYWF-mdsa-}P&zq5>Hfl4Bfvi5G^BA($ zj2!jn4jI)|g%d9cIbbabfD>e8Nhtsk#v}n$C1n8WXFinE*>b=^0f0nkwD+te*bc{5 zMYsr?{M4t%004u<0N|GZprQxBHXQ&ae+D3U0RTl%+eigQYz=@F34qXK09a)JJZlHw z@n-<6RZxHE2W@DN%#3^gVU9dSx_~V#-9I+8dT9GoQSxh(`qI$N{#1aYq$K?LviPll z+y>gvkIeK&(_Z0RQc7AzR!)A--0z@5#gFI_OG!#g$;e1c!__@-9Y`z5DF2LKC9C4< zE2k5#YO*giSANmz(z@8Noi>*X*o162}vfJxRSKY&v;qoRjzWr;VL>N`{Y$ur{5t$Vg@M+1`2>Jg}RFt6cEV3EFtP+@D>&Xj01@oN@6gKHu@4nd};m| zTS^$!m%Iyr>7-FBpo|t51FLL~w=g$1GQq+6e`$Za_(kjQ0X^JljS<(WLz7Uu|5f(Y z_N$C?1^~hstj&?HGQUg!sty34(fL(|Jq>_jJOGs~v+_|xFH9hVLA5kCW-^($AQBOW z7W7N|M};q%e+{$z;ZT2HYKK`v+UXk+%D|vSB~n5u5i|^)>PsYHjQ;%=|Hp>2!kQI_ zp&Mx@iAEwrS6kpM3nB-=<0ktDF@h*$Oc436PWT(m0-w~X1y#-0I}j?o_iGT(ZVu)R;>>UE=yjW;j|;iohYK3J$p;(I!=O*|aC zhOCQ4*gD5}NbaBJN)dN1gmXTcMX}*2^iYt~CwVA=MEygs9@408K$?8h9!ARD6 z#N#!7(0eefnZd|d;&LpGwicV~b1)veFMFf%>6q;6qM?-tG$C!i?%NtCn8&)`8IA zEPKqdQblQh3$^VI?}F2?v-PO)8OFN`=U=p60g`^mrw9(2JQz9LOD?%JYmmQBPd*!-QePcJ8j8jP027p8WjCCP?I4&ruBOl};p{>-`h$H>b2`BsdUw0Zx$;M(zNaD=cKDH7 ztx4%+W@-4~3no3LMAi#Ux9_OY!`oGItO|9PN#``7n_^FP+}I@e`J zUlbSONQW!traB9>EgMT64%ErvJQF0aX*4-+=a7fA@KbIXsS|hX&i1^$(Y)xcIsP|? zk3`o`jS>V6DXEUrzw`%gJ{q9*l5NN_S$BWr8f&bmYEJViZ@aI(uUNufN$#Y|)9kKwmj5ZQa9i&+4%V+CAVQ{T4=%d!CS_la3O7hmtFKmuA9C6| zWLwtrVf%=vQYS%VhC=bY!rE*zgItdzdp`yXn$^0CJCaJBvX!;25)hzV|`OX*3EZl3z>d&k~|F~GA z?ZT>CfdJwQm+?k^Nkn%JTTndyll;*2$SSefu<|-=zs6~D0&x-y;hqjZipdpVQENQ zslHgbp_mhE%PnP2ZK>M!;(2Akd)Ml?Woe>p$L0Z3y>+5D9s7LRG|k=j*ZH2~(S#;> zadG8-8Ce`pvsr&D{y(CfA!b>W-CDFau|<1x6SQAuI@K?ml27%^rh5FeWVIn?E(SGO zjw%qQO=cesfU7g`6$?7SInVI3&g=tTAQ^vDZ|B4B4qbc8OzuDyPTug2CKYih+ z6Zm!)_?f8wZ;8O_{I4!%q7pI8uX`Z?a~=Wxd&R4-s|&XZ@^Z|@3#@%yCNvpb!Gw=! zPRPI&?q}hO`}~z$vAqUsxU9c~&Hbd+${MhWKtOIqtVBHmJ{<{1z~w%%n>EuA0qJl< zdef-&e$gdvhfo#)rTY*tN+|lU5_(JLoPu8$a-(c*R^zb}QB2Ca7U^LZ;jyk9!Kk(X z$CY@KGNImqfGQjJH!&N;KR6;_$0#&UdzXm-ofUTwAQ(K$`XhLx2mw;@zxYmMiPaF$ z_}f8NgSJRFC-2qe24R*@J!SG|OJgyo$*0#P!RO8`1a!cEEY9Y&@=_+W-sOzFM*!LW zBl|9kFWfJ_PUeoTD(T0~M*x#E_E^NmAt03@auw#X>U?Z^iiM^y1uX>htw0R_4I#gq|MwrC8rBd3;deh6QVU2G~WG&pC zwY-*)J*X($mGapgekqikX4SKJmKS1dj7Lm+CLf505zujjPd&fMgqwiENoY;s7SEh0jkB zO9+!=BMx`Ht4|mZwAAH%P!U(Bh|+4qh3m)92^W{bV`y?I94jgOotZDjG9HNyojzx= zln`+GgvdjepVu$Q>&zVzrYs(|ceHsfF5s?j5-$<_bTrbMc^yXb4BnSKR}OO`P0Q Il8QY0FD*Gu-2eap literal 0 HcmV?d00001 diff --git a/Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif b/Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif new file mode 100644 index 0000000000000000000000000000000000000000..c8d6e2aada30caad02b460a088519afaec3706d8 GIT binary patch literal 4221 zcma)8c|6qJ_rHuKWl1EqEde(Mau82MYi z@6Qaz`?|a^W5d7-bQl3JhVct03*Wy z3~d9T!?W*izwOh05B(nR{udtl3Vj25aO(bNV*GzX{G0ZT{D%cbMg~U4e^36e0Qv|- z;pmzF&k!8=Kg7U@U}9!rJ-~MG5Ufyhc>ib-j7$h-W+ocyM%>kFo?KM9JUTX}rdmC{ZOKRV=_2oQQcr>u~1vcS= zkn3x|n1m=Mo;PQDeS38Y;%m$HW7<>7Rb{^ftSJRSqk`NUZ+k;TM%3H2*%r}uDU&(^ zDxv%;(-nPWA5KM?1tBTbsVoNZ7@WQCD*AFs+sd6j&oq%2fle-%BU(SKKNmCj0hvbL z*%I#WLFL8Q=dT#GY->u`wMp^~8j8u{zOFcC;SAj8-<9JcnBA>xk|Tw<$v zBwr!!vVLi*KqOyjtv85O%9##*ZYxatL}g2DA~2pSy>E^*q7 zE~v4_uVxlIpg$MzBDCg4F?Ut(F}!Bwog}onja;EhhDE}3_aR|xgZ3mxA7slZL~%qm z$Hy%siBr0e<6*4Q%bIZ4O^4J3o2*QCr$c&==+`dm&c@VTWmWINFtZ=b6h=3Mn$JlZ z6Z{X^1r1Jkt%%>RQ=bcA))f=SNPp~@a51^|YhX4ZCjRwI>>I6@bgHSC%ROP#4}s~^ zWJ$coPE0Q+a=jYwqxh>zl=q2-Gh@iqB$%aD^;0kC( z`c4ZM&Wv&jJVNBq597;%1AUY3EC)H+rJpc_#sL>zTR}v2^rnYk-gH} z|3QY0piB_#Z!yU;FYTEdj1%ta_9vrSn)Vm4%fSeMJQCcwz!5V1+NvY7 z@bATqbL}%``OFw4Ez`-mc#G+}hps+96tyyNPsy3%M0&Ma(HPq|6AcZQ!;sCH%a zm^d;n)N*9P+#%&hqp3fKv6Nt$>2*?h%u9Y9+nax8I5^MpufnOSnVC`8s_||*`gIT4 z#MYu3m#VF3R`-YSIrjt2hcT17yH)EyxynMgOSxQ5MhbT{x!m4=^YkD3s;ur3nCZF= zjki~=g1Bdo28W7dD3~m;EuWFECWd!Zg@45}DQmWqaB=cfZI;LR-yzVV`m={~YczO! zu};IKL1pw=+Kp0Yqh$7yYU-4lGUnTx( zZ)LGqkgVdQ5eF?AyF~gm?KPx3gZ?PmfrwmceU44YNKFvjF_Fat&h)RcZnGS;nr>thcBn_nh(pQ$AtU9 ztK{tAB;Vmtl&ie=XIdQuBCdw{?KtIA53iZFit^dpd0=@5FTY;XX?#g=lS@%4(JA4M z9N0EAdt>V!A#oxvK2rM*af`_EtN)`Tz0l;=mBv+3C5&7UZg>*uZ503MX5{C}WMQdV zOY8R=i|=mNP=q^{74{BO5A953FQ!M9<<8SZhE~NIQ%AK=b&Za$w`eBIZneF2=J_6C z26|Gb$rS_ZbkJQDu;{qpkn8bIJ-^tecw-^BJ`*|qxY#7>uyMgDo_Lv=?WOc^JFcmY zttTXOOcPs}AyJ1nxXNBu@BEOxunO&@f?nC2i0iVZ#Uom~&5IkVH`UlV!XWI&?E+`=OvoX-1+LU7IVjn&#_+B@1)^fKO+GqnxFd5&C)81qxxNS z`a=~0P3B~6=}Q9*?*me8BOOW=3F5RLUyomnv=epx7E84A@_#3tc(tj-OkdU^&gm38 zMt%2IhdPr;ZnXLO&W63h$!Od8#@?3$E)U$K5U0g*rq^|aBT*urUvl)#;v32dRu&JO zK2tJQqsLrpUC~>ST*9m-{xOz(E(RGz^=b>LQ7O-rhBB!Hk-wBjx_L5ZW7fZKc5Lg1 z8)g|9Slq~ZH`>wJ%ennx_;tUQLcV00$oeHU^(i$12{)l$(NmR@|C!vMazTXrV_T=1 zWbj<&E&#>Ob=@%xgaY6BFAWEW<*(>;)JMf8y5Z+zQb{kf7g&tMq*x5by&xd91@GX( zo_4%R%#_gezPCf%mhou>;2bwHJyn1bq{$!8Rhl0Y`NCIHtyR%>=T%^W)diKoPgBHu ztMTo4be9CbpV87gkx~z9SxIL?I=TBx>O}7OyH@XWE63kwmVoizqI3h>+vNlpc6k|8>3XT6EAes`|<(o2;N$tN2}Ju^r2#`KPQK zrNy&va*d7taP}?~uqw=%!@EF0Z>&aPP`fJbJ;om`ORtnK-|%npMAKQb>xY*IW}y-I z9o`JM55Ny`83Y42VB}^%a5F%ofE~dAGYD>g0(9?E2u$;jlRF{syh109CLci;{T@VT zfk1q>4`l|m*2U>U7$+sFY zoHiY(wIv7`(k;q)c5q5gHj`Mf&gCW&MHUl&Y$ARKuV-wBF}*m58Xko}GiuYZ;z}6% z7T?;gsBW+sU7JW7+~0%*CVv4FXG4{w1*kOGK;U>01QzeoFEkvZUZ>>ZROmuFXwzMR z06b+EO=I(1s>W|qRX^`&;pv9_*tOS-6;b$gWFK}(GY|qfHQ@{`5Lkce3xUdc`c<7E z83-i72K~D?b?(#3@kA<|*s6OF*i)10s+JWZO7eA zIv)f+J$a1n5T!}ra>pw>sF~;%pS=?r^7Loj=sD9!bXzL~h&2$%%k7(p-$l;g$g>de zHe88n$L>(?(;K|;o98PQefM*~eIZ2n@^bjZfIn zaEY3l6n^{TaB=z&D3&Q{SeC+1KidK~X(lG}yKZFE0G_`W0u(K0S zXQ0N02gZGyX^C8-5I*1*cYrP$sFGFiF?5?2k}C?kg7WF&0fTfIrF literal 0 HcmV?d00001 diff --git a/Tests/test_tiff_crashes.py b/Tests/test_tiff_crashes.py index d0de4b305d7..eb253346695 100644 --- a/Tests/test_tiff_crashes.py +++ b/Tests/test_tiff_crashes.py @@ -24,6 +24,8 @@ "Tests/images/crash_1.tif", "Tests/images/crash_2.tif", "Tests/images/crash-2020-10-test.tif", + "Tests/images/crash-1152ec2d1a1a71395b6f2ce6721c38924d025bf3.tif", + "Tests/images/crash-0e16d3bfb83be87356d026d66919deaefca44dac.tif", ], ) @pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data") diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c index 5cbbe7380ea..f0e25828636 100644 --- a/src/libImaging/TiffDecode.c +++ b/src/libImaging/TiffDecode.c @@ -250,7 +250,7 @@ int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) { img.row_offset = state->y; rows_to_read = min(rows_per_strip, img.height - state->y); - if (TIFFRGBAImageGet(&img, (UINT32 *)state->buffer, img.width, rows_to_read) == -1) { + if (!TIFFRGBAImageGet(&img, (UINT32 *)state->buffer, img.width, rows_to_read)) { TRACE(("Decode Error, y: %d\n", state->y )); state->errcode = IMAGING_CODEC_BROKEN; goto decodeycbcr_err;