From 5932a0bd19b513c3c86d9fc8dec5d41384247056 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Sat, 1 Apr 2023 09:23:57 +1100 Subject: [PATCH] Clear half token after use --- Tests/test_file_ppm.py | 10 ++++++++++ docs/releasenotes/9.5.0.rst | 15 ++++++++++++--- src/PIL/PpmImagePlugin.py | 1 + 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/Tests/test_file_ppm.py b/Tests/test_file_ppm.py index fbcbea6c691..292642ca9f8 100644 --- a/Tests/test_file_ppm.py +++ b/Tests/test_file_ppm.py @@ -256,6 +256,16 @@ def test_truncated_file(tmp_path): im.load() +def test_not_enough_image_data(tmp_path): + path = str(tmp_path / "temp.ppm") + with open(path, "wb") as f: + f.write(b"P2 1 2 255 255") + + with Image.open(path) as im: + with pytest.raises(ValueError): + im.load() + + @pytest.mark.parametrize("maxval", (b"0", b"65536")) def test_invalid_maxval(maxval, tmp_path): path = str(tmp_path / "temp.ppm") diff --git a/docs/releasenotes/9.5.0.rst b/docs/releasenotes/9.5.0.rst index 0b0e0dd2f10..1ba9b98905b 100644 --- a/docs/releasenotes/9.5.0.rst +++ b/docs/releasenotes/9.5.0.rst @@ -62,10 +62,19 @@ PLT markers. Security ======== -TODO -^^^^ +Clear PPM half token after use +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -TODO +Image files that are small on disk are often prevented from expanding to be +big images consuming a large amount of resources simply because they lack the +data to populate those resources. + +PpmImagePlugin might hold onto the last data read for a pixel value in case the +pixel value has not been finished yet. However, that data was not being cleared +afterwards, meaning that infinite data could be available to fill any image +size. + +That data is now cleared after use. Other Changes ============= diff --git a/src/PIL/PpmImagePlugin.py b/src/PIL/PpmImagePlugin.py index 5aa418044b1..2cb1e56365d 100644 --- a/src/PIL/PpmImagePlugin.py +++ b/src/PIL/PpmImagePlugin.py @@ -237,6 +237,7 @@ def _decode_blocks(self, maxval): if half_token: block = half_token + block # stitch half_token to new block + half_token = False tokens = block.split()