J2k DOS fix -- CVE-2014-3598

wiredfool · wiredfool · commit 347a1d8d956f · 2014-08-19T08:25:40.000-07:00
Found and reported by Andrew Drake of dropbox.com
diff --git a/PIL/Jpeg2KImagePlugin.py b/PIL/Jpeg2KImagePlugin.py
@@ -70,6 +70,9 @@ def _parse_jp2_header(fp):
         else:
             hlen = 8
 
+        if lbox < hlen:
+            raise SyntaxError('Invalid JP2 header length')
+        
         if tbox == b'jp2h':
             header = fp.read(lbox - hlen)
             break
diff --git a/Tests/check_j2k_dos.py b/Tests/check_j2k_dos.py
@@ -0,0 +1,11 @@
+# Tests potential DOS of Jpeg2kImagePlugin with 0 length block.
+# Run from anywhere that PIL is importable. 
+
+from PIL import Image
+from io import BytesIO
+
+if bytes is str:
+    Image.open(BytesIO(bytes('\x00\x00\x00\x0cjP\x20\x20\x0d\x0a\x87\x0a\x00\x00\x00\x00hang')))
+else:
+    Image.open(BytesIO(bytes('\x00\x00\x00\x0cjP\x20\x20\x0d\x0a\x87\x0a\x00\x00\x00\x00hang', 'latin-1')))
+
