aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/python-pillow-CVE-2022-45199.patch
blob: 3b01d3a8f4489df076dfb66a13dd456e41784c57 (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
From 13f2c5ae14901c89c38f898496102afd9daeaf6d Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Fri, 28 Oct 2022 14:11:25 +0200
Subject: [PATCH 1/5] Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD

A large value in the SAMPLESPERPIXEL tag could lead to a memory and
runtime DOS in TiffImagePlugin.py when setting up the context for
image decoding.

diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
index 04a63bd2b44..46166fc6335 100644
--- a/src/PIL/TiffImagePlugin.py
+++ b/src/PIL/TiffImagePlugin.py
@@ -257,6 +257,8 @@
     (MM, 8, (1,), 1, (8, 8, 8), ()): ("LAB", "LAB"),
 }
 
+MAX_SAMPLESPERPIXEL = max(len(key_tp[4]) for key_tp in OPEN_INFO.keys())
+
 PREFIXES = [
     b"MM\x00\x2A",  # Valid TIFF header with big-endian byte order
     b"II\x2A\x00",  # Valid TIFF header with little-endian byte order
@@ -1396,6 +1398,12 @@ def _setup(self):
             SAMPLESPERPIXEL,
             3 if self._compression == "tiff_jpeg" and photo in (2, 6) else 1,
         )
+
+        if samples_per_pixel > MAX_SAMPLESPERPIXEL:
+            # DOS check, samples_per_pixel can be a Long, and we extend the tuple below
+            logger.error("More samples per pixel than can be decoded: %s", samples_per_pixel)
+            raise SyntaxError("Invalid value for samples per pixel")
+
         if samples_per_pixel < bps_actual_count:
             # If a file has more values in bps_tuple than expected,
             # remove the excess.