diff options
author | fvogel <fvogelnew1@free.fr> | 2017-08-02 12:00:14 (GMT) |
---|---|---|
committer | fvogel <fvogelnew1@free.fr> | 2017-08-02 12:00:14 (GMT) |
commit | 70b7db3aaec9652af6037f4950c1f93f6293c073 (patch) | |
tree | e52d9c89fbc97452b27012fd488875017dfd4a24 | |
parent | a2d0ee1d83897b9b5d95ea1e6182cdc2448e9425 (diff) | |
parent | 921db39fdb9af4eaae326f252f9edc30706b213c (diff) | |
download | tk-70b7db3aaec9652af6037f4950c1f93f6293c073.zip tk-70b7db3aaec9652af6037f4950c1f93f6293c073.tar.gz tk-70b7db3aaec9652af6037f4950c1f93f6293c073.tar.bz2 |
Fix [b601ce3ab1]: A corrupted image can cause resource exhaustion. Patch from Keith Nash.
-rw-r--r-- | generic/tkImgGIF.c | 1 | ||||
-rw-r--r-- | tests/corruptMangled.gif | 2 | ||||
-rw-r--r-- | tests/corruptMangled4G.gif | 2 | ||||
-rw-r--r-- | tests/corruptTruncated.gif | bin | 0 -> 32 bytes | |||
-rw-r--r-- | tests/imgPhoto.test | 133 | ||||
-rw-r--r-- | tests/red.gif | bin | 0 -> 92 bytes |
6 files changed, 136 insertions, 2 deletions
diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c index 1c28b54..be90f06 100644 --- a/generic/tkImgGIF.c +++ b/generic/tkImgGIF.c @@ -1571,6 +1571,7 @@ Fread( } memcpy(dst, handle->data, (size_t) (hunk * count)); handle->data += hunk * count; + handle->length -= hunk * count; return (int)(hunk * count); } diff --git a/tests/corruptMangled.gif b/tests/corruptMangled.gif new file mode 100644 index 0000000..ce043f0 --- /dev/null +++ b/tests/corruptMangled.gif @@ -0,0 +1,2 @@ +GIF89aÂ33ÿÿ33ÿ3ÿ3ÿ33ÿÿÿÿ3ÿÿÿ!ù +,!xºÜ-0Bw¤ïÚ¥µê×Jâ8Uæªkir/3Re7 ;
\ No newline at end of file diff --git a/tests/corruptMangled4G.gif b/tests/corruptMangled4G.gif new file mode 100644 index 0000000..7dfde0e --- /dev/null +++ b/tests/corruptMangled4G.gif @@ -0,0 +1,2 @@ +GIF89aÂf3ÿÿ33ÿ3ÿ3ÿ33ÿÿÿÿ3ÿÿÿ!ù +,!xºÜ-0Bw¤ïÚ¥µê×Jâ8Uæªkir/3Re7 ;
\ No newline at end of file diff --git a/tests/corruptTruncated.gif b/tests/corruptTruncated.gif Binary files differnew file mode 100644 index 0000000..948305a --- /dev/null +++ b/tests/corruptTruncated.gif diff --git a/tests/imgPhoto.test b/tests/imgPhoto.test index 86da23d..4f3611e 100644 --- a/tests/imgPhoto.test +++ b/tests/imgPhoto.test @@ -59,7 +59,13 @@ set README [makeFile { set teapotPhotoFile [file join [file dirname [info script]] teapot.ppm] testConstraint hasTeapotPhoto [file exists $teapotPhotoFile] -# ---------------------------------------------------------------------- +proc base64ok {} { + expr { + ![catch {package require base64}] + } +} + +testConstraint base64PackageNeeded [base64ok] test imgPhoto-1.1 {options for photo images} -body { image create photo photo1 -width 79 -height 83 @@ -1242,7 +1248,130 @@ test imgPhoto-17.3 {photo write: format guessing from filename} -setup { catch {removeFile $f} } -result "P6\n" -# ---------------------------------------------------------------------- +# Reject corrupted or truncated image [Bug b601ce3ab1]. +# WARNING - tests 18.1-18.9 will cause a segfault on 8.5.19 and lower, +# and on 8.6.6 and lower. +test imgPhoto-18.1 {Reject corrupted GIF (binary string)} -constraints { + base64PackageNeeded +} -setup { + package require base64 + set data [base64::decode { + R0lGODlhwjMz//8zM/8z/zP/MzP/////M////yH5CiwheLrcLTBCd6Tv2qW16tdK4jhV + 5qpraXIvM1JlNyAgOw== + }] +} -body { + image create photo gif1 -data $data +} -cleanup { + catch {image delete gif1} +} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp +test imgPhoto-18.2 {Reject corrupted GIF (base 64 string)} -setup { + set data { + R0lGODlhwjMz//8zM/8z/zP/MzP/////M////yH5CiwheLrcLTBCd6Tv2qW16tdK4jhV + 5qpraXIvM1JlNyAgOw== + } +} -body { + image create photo gif1 -data $data +} -cleanup { + catch {image delete gif1} +} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp +test imgPhoto-18.3 {Reject corrupted GIF (file)} -setup { + set fileName [file join [file dirname [info script]] corruptMangled.gif] +} -body { + image create photo gif1 -file $fileName +} -cleanup { + catch {image delete gif1} +} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp +test imgPhoto-18.4 {Reject truncated GIF (binary string)} -constraints { + base64PackageNeeded +} -setup { + package require base64 + set data [base64::decode { + R0lGODlhEAAQAMIHAAAAADMz//8zM/8z/zP/MzP///8= + }] +} -body { + image create photo gif1 -data $data +} -cleanup { + catch {image delete gif1} +} -returnCodes error -result {error reading color map} +test imgPhoto-18.5 {Reject truncated GIF (base 64 string)} -setup { + set data { + R0lGODlhEAAQAMIHAAAAADMz//8zM/8z/zP/MzP///8= + } +} -body { + image create photo gif1 -data $data +} -cleanup { + catch {image delete gif1} +} -returnCodes error -result {error reading color map} +test imgPhoto-18.6 {Reject truncated GIF (file)} -setup { + set fileName [file join [file dirname [info script]] corruptTruncated.gif] +} -body { + image create photo gif1 -file $fileName +} -cleanup { + catch {image delete gif1} +} -returnCodes error -result {error reading color map} +test imgPhoto-18.7 {Reject corrupted GIF (> 4Gb) (binary string)} -constraints { + base64PackageNeeded +} -setup { + package require base64 + set data [base64::decode { + R0lGODlhwmYz//8zM/8z/zP/MzP/////M////yH5Ciwhe + LrcLTBCd6Tv2qW16tdK4jhV5qpraXIvM1JlNyAgOw== + }] +} -body { + image create photo gif1 -data $data +} -cleanup { + catch {image delete gif1} +} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp +test imgPhoto-18.8 {Reject corrupted GIF (> 4Gb) (base 64 string)} -setup { + set data { + R0lGODlhwmYz//8zM/8z/zP/MzP/////M////yH5Ciwhe + LrcLTBCd6Tv2qW16tdK4jhV5qpraXIvM1JlNyAgOw== + } +} -body { + image create photo gif1 -data $data +} -cleanup { + catch {image delete gif1} +} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp +test imgPhoto-18.9 {Reject corrupted GIF (> 4Gb) (file)} -setup { + set fileName [file join [file dirname [info script]] corruptMangled4G.gif] +} -body { + image create photo gif1 -file $fileName +} -cleanup { + catch {image delete gif1} +} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp +test imgPhoto-18.10 {Valid GIF (binary string)} -constraints { + base64PackageNeeded +} -setup { + # Test the binary string reader with a valid GIF. + # This is not tested elsewhere. + # Tests 18.11, 18.12, with matching data, are included for completeness. + package require base64 + set data [base64::decode { + R0lGODlhEAAQAMIHAAAAADMz//8zM/8z/zP/MzP/////M////yH5BAEKAAcALAAA + AAAQABAAAAMheLrcLTBCd6QV79qlterXB0riOFXmmapraXIvM1IdZTcJADs= + }] +} -body { + image create photo gif1 -data $data +} -cleanup { + catch {image delete gif1} +} -result gif1 +test imgPhoto-18.11 {Valid GIF (base 64 string)} -setup { + set data { + R0lGODlhEAAQAMIHAAAAADMz//8zM/8z/zP/MzP/////M////yH5BAEKAAcALAAA + AAAQABAAAAMheLrcLTBCd6QV79qlterXB0riOFXmmapraXIvM1IdZTcJADs= + } +} -body { + image create photo gif1 -data $data +} -cleanup { + catch {image delete gif1} +} -result gif1 +test imgPhoto-18.12 {Valid GIF (file)} -setup { + set fileName [file join [file dirname [info script]] red.gif] +} -body { + image create photo gif1 -file $fileName +} -cleanup { + catch {image delete gif1} +} -result gif1 catch {rename foreachPixel {}} catch {rename checkImgTrans {}} diff --git a/tests/red.gif b/tests/red.gif Binary files differnew file mode 100644 index 0000000..1d12ebb --- /dev/null +++ b/tests/red.gif |