Skip to content

Commit

Permalink
Fix Memory DOS in ImageFont
Browse files Browse the repository at this point in the history
* A corrupt or specially crafted TTF font could have font metrics that
  lead to unreasonably large sizes when rendering text in
  font. ImageFont.py did not check the image size before allocating
  memory for it.
* Found with oss-fuzz
* This dates from the PIL fork
  • Loading branch information
wiredfool authored and hugovk committed Apr 1, 2021
1 parent bb6c11f commit ba65f0b
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 0 deletions.
Binary file not shown.
13 changes: 13 additions & 0 deletions Tests/test_imagefont.py
Original file line number Diff line number Diff line change
Expand Up @@ -997,3 +997,16 @@ def fake_version_module(module):
# Act / Assert
with pytest.warns(DeprecationWarning):
ImageFont.truetype(FONT_PATH, FONT_SIZE)


@pytest.mark.parametrize(
"test_file",
[
"Tests/fonts/oom-e8e927ba6c0d38274a37c1567560eb33baf74627.ttf",
],
)
def test_oom(test_file):
with open(test_file, "rb") as f:
font = ImageFont.truetype(BytesIO(f.read()))
with pytest.raises(Image.DecompressionBombError):
font.getmask("Test Text")
1 change: 1 addition & 0 deletions src/PIL/ImageFont.py
Original file line number Diff line number Diff line change
Expand Up @@ -669,6 +669,7 @@ def getmask2(
)
size = size[0] + stroke_width * 2, size[1] + stroke_width * 2
offset = offset[0] - stroke_width, offset[1] - stroke_width
Image._decompression_bomb_check(size)
im = fill("RGBA" if mode == "RGBA" else "L", size, 0)
self.font.render(
text, im.id, mode, direction, features, language, stroke_width, ink
Expand Down

0 comments on commit ba65f0b

Please # to comment.