Fix FLI DOS -- CVE-2021-28676

* FliDecode did not properly check that the block advance was non-zero, potentally leading to an infinite loop on load. * This dates to the PIL Fork * Found with oss-fuzz
python-pillow · Apr 1, 2021 · bb6c11f · bb6c11f
1 parent 5a5e6db
commit bb6c11f
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 0 deletions.
diff --git a/Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli b/Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli
diff --git a/Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli b/Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli
diff --git a/Tests/test_file_fli.py b/Tests/test_file_fli.py
@@ -123,3 +123,18 @@ def test_seek():
         im.seek(50)
 
         assert_image_equal_tofile(im, "Tests/images/a_fli.png")
+
+
+@pytest.mark.parametrize(
+    "test_file",
+    [
+        "Tests/images/timeout-9139147ce93e20eb14088fe238e541443ffd64b3.fli",
+        "Tests/images/timeout-bff0a9dc7243a8e6ede2408d2ffa6a9964698b87.fli",
+    ],
+)
+@pytest.mark.timeout(timeout=3)
+def test_timeouts(test_file):
+    with open(test_file, "rb") as f:
+        with Image.open(f) as im:
+            with pytest.raises(OSError):
+                im.load()
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
@@ -243,6 +243,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t byt
                 return -1;
         }
         advance = I32(ptr);
+        if (advance == 0 ) {
+            // If there's no advance, we're in in infinite loop
+            state->errcode = IMAGING_CODEC_BROKEN;
+            return -1;
+        }
         if (advance < 0 || advance > bytes) {
             state->errcode = IMAGING_CODEC_OVERRUN;
             return -1;