BE-159-cve-2020-10994

CVE fixes from: python-pillow#4505 Tests for jp2 overflow (cherry picked from commit 30443d3) Format with Black (cherry picked from commit 6e86d23) Add documentation
ActiveState · Apr 19, 2023 · 978191b · 978191b
1 parent 97671b5
commit 978191b
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 15 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -19,6 +19,9 @@ Changelog (Pillow)
 - Fix CVE-2021-28675: Fix DOS in PsdImagePlugin
   [rickprice]
 
+- Fix CVE-2020-10994: In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
+  [rickprice]
+
 6.2.2.4 (2023-03-29)
 ------------------
 

diff --git a/Tests/check_jp2_overflow.py b/Tests/check_jp2_overflow.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+
+# Reproductions/tests for OOB read errors in FliDecode.c
+
+# When run in python, all of these images should fail for
+# one reason or another, either as a buffer overrun,
+# unrecognized datastream, or truncated image file.
+# There shouldn't be any segfaults.
+#
+# if run like
+# `valgrind --tool=memcheck python check_jp2_overflow.py  2>&1 | grep Decode.c`
+# the output should be empty. There may be python issues
+# in the valgrind especially if run in a debug python
+# version.
+
+
+from PIL import Image
+
+repro = ("00r0_gray_l.jp2", "00r1_graya_la.jp2")
+
+for path in repro:
+    im = Image.open(path)
+    try:
+        im.load()
+    except Exception as msg:
+        print(msg)
diff --git a/Tests/images/00r0_gray_l.jp2 b/Tests/images/00r0_gray_l.jp2
diff --git a/Tests/images/00r1_graya_la.jp2 b/Tests/images/00r1_graya_la.jp2
diff --git a/docs/releasenotes/6.2.2.5.rst b/docs/releasenotes/6.2.2.5.rst
@@ -21,3 +21,4 @@ This release addresses several critical CVEs.
 
 :cve:`CVE-2022-22816`: Fixed ImagePath.Path array handling
 
+:cve:`CVE-2020-10994`: In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c
@@ -110,6 +110,7 @@ j2ku_gray_l(opj_image_t *in, const JPEG2KTILEINFO *tileinfo,
     if (shift < 0)
         offset += 1 << (-shift - 1);
 
+    /* csiz*h*w + offset = tileinfo.datasize */
     switch (csiz) {
     case 1:
         for (y = 0; y < h; ++y) {
@@ -561,6 +562,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
     unsigned n, tile_height, tile_width;
     int total_component_width = 0;
 
+
     stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);
 
     if (!stream) {
@@ -758,7 +760,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
         }
 
         if (buffer_size < tile_info.data_size) {
-            /* malloc check ok, tile_info.data_size from openjpeg */
+            /* malloc check ok, overflow and tile size sanity check above */
             UINT8 *new = realloc (state->buffer, tile_info.data_size);
             if (!new) {
                 state->errcode = IMAGING_CODEC_MEMORY;
@@ -769,6 +771,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
             buffer_size = tile_info.data_size;
         }
 
+
         if (!opj_decode_tile_data(codec,
                                   tile_info.tile_index,
                                   (OPJ_BYTE *)state->buffer,
@@ -779,20 +782,6 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
             goto quick_exit;
         }
 
-        /* Check the tile bounds; if the tile is outside the image area,
-           or if it has a negative width or height (i.e. the coordinates are
-           swapped), bail. */
-        if (tile_info.x0 >= tile_info.x1
-            || tile_info.y0 >= tile_info.y1
-            || tile_info.x0 < image->x0
-            || tile_info.y0 < image->y0
-            || tile_info.x1 - image->x0 > im->xsize
-            || tile_info.y1 - image->y0 > im->ysize) {
-            state->errcode = IMAGING_CODEC_BROKEN;
-            state->state = J2K_STATE_FAILED;
-            goto quick_exit;
-        }
-
         unpack(image, &tile_info, state->buffer, im);
     }