Overflow checks for realloc for tiff decoding

python-pillow · Jan 2, 2020 · b9c6854 · b9c6854
1 parent be44f0d
commit b9c6854
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/Tests/images/tiff_overflow_rows_per_strip.tif b/Tests/images/tiff_overflow_rows_per_strip.tif
diff --git a/Tests/test_file_libtiff.py b/Tests/test_file_libtiff.py
@@ -841,3 +841,13 @@ def test_sampleformat_not_corrupted(self):
         out.seek(0)
         with Image.open(out) as im:
             im.load()
+
+    def test_realloc_overflow(self):
+        TiffImagePlugin.READ_LIBTIFF = True
+        with Image.open("Tests/images/tiff_overflow_rows_per_strip.tif") as im:
+            with self.assertRaises(IOError) as e:
+                im.load()
+
+            # Assert that the error code is IMAGING_CODEC_MEMORY
+            self.assertEqual(str(e.exception), "-9")
+        TiffImagePlugin.READ_LIBTIFF = False
diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
@@ -353,16 +353,18 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
 
         // We could use TIFFTileSize, but for YCbCr data it returns subsampled data size
         row_byte_size = (tile_width * state->bits + 7) / 8;
-        state->bytes = row_byte_size * tile_length;
 
-        /* overflow check for malloc */
-        if (state->bytes > INT_MAX - 1) {
+        /* overflow check for realloc */
+        if (INT_MAX / row_byte_size < tile_length) {
             state->errcode = IMAGING_CODEC_MEMORY;
             TIFFClose(tiff);
             return -1;
         }
+
+        state->bytes = row_byte_size * tile_length;
 
         /* realloc to fit whole tile */
+        /* malloc check above */
         new_data = realloc (state->buffer, state->bytes);
         if (!new_data) {
             state->errcode = IMAGING_CODEC_MEMORY;
@@ -415,11 +417,20 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_
 
         // We could use TIFFStripSize, but for YCbCr data it returns subsampled data size
         row_byte_size = (state->xsize * state->bits + 7) / 8;
+
+        /* overflow check for realloc */
+        if (INT_MAX / row_byte_size < rows_per_strip) {
+            state->errcode = IMAGING_CODEC_MEMORY;
+            TIFFClose(tiff);
+            return -1;
+        }
+
         state->bytes = rows_per_strip * row_byte_size;
 
         TRACE(("StripSize: %d \n", state->bytes));
 
         /* realloc to fit whole strip */
+        /* malloc check above */
         new_data = realloc (state->buffer, state->bytes);
         if (!new_data) {
             state->errcode = IMAGING_CODEC_MEMORY;