Merge pull request #845 from wiredfool/icns_cve

wiredfool · wiredfool · commit 9cc0e47ec27a · 2014-08-13T09:45:42.000-07:00
Icns DOS fix -- CVE-2014-3589
diff --git a/PIL/IcnsImagePlugin.py b/PIL/IcnsImagePlugin.py
@@ -179,6 +179,8 @@ def __init__(self, fobj):
         i = HEADERSIZE
         while i < filesize:
             sig, blocksize = nextheader(fobj)
+            if blocksize <= 0:
+                raise SyntaxError('invalid block header')
             i += HEADERSIZE
             blocksize -= HEADERSIZE
             dct[sig] = (i, blocksize)
diff --git a/Tests/check_icns_dos.py b/Tests/check_icns_dos.py
@@ -0,0 +1,10 @@
+# Tests potential DOS of IcnsImagePlugin with 0 length block.
+# Run from anywhere that PIL is importable. 
+
+from PIL import Image
+from io import BytesIO
+
+if bytes is str:
+    Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00')))
+else:
+    Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00', 'latin-1')))
