summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfvogel <fvogelnew1@free.fr>2017-08-02 12:00:14 (GMT)
committerfvogel <fvogelnew1@free.fr>2017-08-02 12:00:14 (GMT)
commit70b7db3aaec9652af6037f4950c1f93f6293c073 (patch)
treee52d9c89fbc97452b27012fd488875017dfd4a24
parenta2d0ee1d83897b9b5d95ea1e6182cdc2448e9425 (diff)
parent921db39fdb9af4eaae326f252f9edc30706b213c (diff)
downloadtk-70b7db3aaec9652af6037f4950c1f93f6293c073.zip
tk-70b7db3aaec9652af6037f4950c1f93f6293c073.tar.gz
tk-70b7db3aaec9652af6037f4950c1f93f6293c073.tar.bz2
Fix [b601ce3ab1]: A corrupted image can cause resource exhaustion. Patch from Keith Nash.
-rw-r--r--generic/tkImgGIF.c1
-rw-r--r--tests/corruptMangled.gif2
-rw-r--r--tests/corruptMangled4G.gif2
-rw-r--r--tests/corruptTruncated.gifbin0 -> 32 bytes
-rw-r--r--tests/imgPhoto.test133
-rw-r--r--tests/red.gifbin0 -> 92 bytes
6 files changed, 136 insertions, 2 deletions
diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c
index 1c28b54..be90f06 100644
--- a/generic/tkImgGIF.c
+++ b/generic/tkImgGIF.c
@@ -1571,6 +1571,7 @@ Fread(
}
memcpy(dst, handle->data, (size_t) (hunk * count));
handle->data += hunk * count;
+ handle->length -= hunk * count;
return (int)(hunk * count);
}
diff --git a/tests/corruptMangled.gif b/tests/corruptMangled.gif
new file mode 100644
index 0000000..ce043f0
--- /dev/null
+++ b/tests/corruptMangled.gif
@@ -0,0 +1,2 @@
+GIF89aÂ33ÿÿ33ÿ3ÿ3ÿ33ÿÿÿÿ3ÿÿÿ!ù
+,!xºÜ-0Bw¤ïÚ¥µê×Jâ8Uæªkir/3Re7 ; \ No newline at end of file
diff --git a/tests/corruptMangled4G.gif b/tests/corruptMangled4G.gif
new file mode 100644
index 0000000..7dfde0e
--- /dev/null
+++ b/tests/corruptMangled4G.gif
@@ -0,0 +1,2 @@
+GIF89aÂf3ÿÿ33ÿ3ÿ3ÿ33ÿÿÿÿ3ÿÿÿ!ù
+,!xºÜ-0Bw¤ïÚ¥µê×Jâ8Uæªkir/3Re7 ; \ No newline at end of file
diff --git a/tests/corruptTruncated.gif b/tests/corruptTruncated.gif
new file mode 100644
index 0000000..948305a
--- /dev/null
+++ b/tests/corruptTruncated.gif
Binary files differ
diff --git a/tests/imgPhoto.test b/tests/imgPhoto.test
index 86da23d..4f3611e 100644
--- a/tests/imgPhoto.test
+++ b/tests/imgPhoto.test
@@ -59,7 +59,13 @@ set README [makeFile {
set teapotPhotoFile [file join [file dirname [info script]] teapot.ppm]
testConstraint hasTeapotPhoto [file exists $teapotPhotoFile]
-# ----------------------------------------------------------------------
+proc base64ok {} {
+ expr {
+ ![catch {package require base64}]
+ }
+}
+
+testConstraint base64PackageNeeded [base64ok]
test imgPhoto-1.1 {options for photo images} -body {
image create photo photo1 -width 79 -height 83
@@ -1242,7 +1248,130 @@ test imgPhoto-17.3 {photo write: format guessing from filename} -setup {
catch {removeFile $f}
} -result "P6\n"
-# ----------------------------------------------------------------------
+# Reject corrupted or truncated image [Bug b601ce3ab1].
+# WARNING - tests 18.1-18.9 will cause a segfault on 8.5.19 and lower,
+# and on 8.6.6 and lower.
+test imgPhoto-18.1 {Reject corrupted GIF (binary string)} -constraints {
+ base64PackageNeeded
+} -setup {
+ package require base64
+ set data [base64::decode {
+ R0lGODlhwjMz//8zM/8z/zP/MzP/////M////yH5CiwheLrcLTBCd6Tv2qW16tdK4jhV
+ 5qpraXIvM1JlNyAgOw==
+ }]
+} -body {
+ image create photo gif1 -data $data
+} -cleanup {
+ catch {image delete gif1}
+} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp
+test imgPhoto-18.2 {Reject corrupted GIF (base 64 string)} -setup {
+ set data {
+ R0lGODlhwjMz//8zM/8z/zP/MzP/////M////yH5CiwheLrcLTBCd6Tv2qW16tdK4jhV
+ 5qpraXIvM1JlNyAgOw==
+ }
+} -body {
+ image create photo gif1 -data $data
+} -cleanup {
+ catch {image delete gif1}
+} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp
+test imgPhoto-18.3 {Reject corrupted GIF (file)} -setup {
+ set fileName [file join [file dirname [info script]] corruptMangled.gif]
+} -body {
+ image create photo gif1 -file $fileName
+} -cleanup {
+ catch {image delete gif1}
+} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp
+test imgPhoto-18.4 {Reject truncated GIF (binary string)} -constraints {
+ base64PackageNeeded
+} -setup {
+ package require base64
+ set data [base64::decode {
+ R0lGODlhEAAQAMIHAAAAADMz//8zM/8z/zP/MzP///8=
+ }]
+} -body {
+ image create photo gif1 -data $data
+} -cleanup {
+ catch {image delete gif1}
+} -returnCodes error -result {error reading color map}
+test imgPhoto-18.5 {Reject truncated GIF (base 64 string)} -setup {
+ set data {
+ R0lGODlhEAAQAMIHAAAAADMz//8zM/8z/zP/MzP///8=
+ }
+} -body {
+ image create photo gif1 -data $data
+} -cleanup {
+ catch {image delete gif1}
+} -returnCodes error -result {error reading color map}
+test imgPhoto-18.6 {Reject truncated GIF (file)} -setup {
+ set fileName [file join [file dirname [info script]] corruptTruncated.gif]
+} -body {
+ image create photo gif1 -file $fileName
+} -cleanup {
+ catch {image delete gif1}
+} -returnCodes error -result {error reading color map}
+test imgPhoto-18.7 {Reject corrupted GIF (> 4Gb) (binary string)} -constraints {
+ base64PackageNeeded
+} -setup {
+ package require base64
+ set data [base64::decode {
+ R0lGODlhwmYz//8zM/8z/zP/MzP/////M////yH5Ciwhe
+ LrcLTBCd6Tv2qW16tdK4jhV5qpraXIvM1JlNyAgOw==
+ }]
+} -body {
+ image create photo gif1 -data $data
+} -cleanup {
+ catch {image delete gif1}
+} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp
+test imgPhoto-18.8 {Reject corrupted GIF (> 4Gb) (base 64 string)} -setup {
+ set data {
+ R0lGODlhwmYz//8zM/8z/zP/MzP/////M////yH5Ciwhe
+ LrcLTBCd6Tv2qW16tdK4jhV5qpraXIvM1JlNyAgOw==
+ }
+} -body {
+ image create photo gif1 -data $data
+} -cleanup {
+ catch {image delete gif1}
+} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp
+test imgPhoto-18.9 {Reject corrupted GIF (> 4Gb) (file)} -setup {
+ set fileName [file join [file dirname [info script]] corruptMangled4G.gif]
+} -body {
+ image create photo gif1 -file $fileName
+} -cleanup {
+ catch {image delete gif1}
+} -returnCodes error -result {error reading color map|not enough free memory for image buffer} -match regexp
+test imgPhoto-18.10 {Valid GIF (binary string)} -constraints {
+ base64PackageNeeded
+} -setup {
+ # Test the binary string reader with a valid GIF.
+ # This is not tested elsewhere.
+ # Tests 18.11, 18.12, with matching data, are included for completeness.
+ package require base64
+ set data [base64::decode {
+ R0lGODlhEAAQAMIHAAAAADMz//8zM/8z/zP/MzP/////M////yH5BAEKAAcALAAA
+ AAAQABAAAAMheLrcLTBCd6QV79qlterXB0riOFXmmapraXIvM1IdZTcJADs=
+ }]
+} -body {
+ image create photo gif1 -data $data
+} -cleanup {
+ catch {image delete gif1}
+} -result gif1
+test imgPhoto-18.11 {Valid GIF (base 64 string)} -setup {
+ set data {
+ R0lGODlhEAAQAMIHAAAAADMz//8zM/8z/zP/MzP/////M////yH5BAEKAAcALAAA
+ AAAQABAAAAMheLrcLTBCd6QV79qlterXB0riOFXmmapraXIvM1IdZTcJADs=
+ }
+} -body {
+ image create photo gif1 -data $data
+} -cleanup {
+ catch {image delete gif1}
+} -result gif1
+test imgPhoto-18.12 {Valid GIF (file)} -setup {
+ set fileName [file join [file dirname [info script]] red.gif]
+} -body {
+ image create photo gif1 -file $fileName
+} -cleanup {
+ catch {image delete gif1}
+} -result gif1
catch {rename foreachPixel {}}
catch {rename checkImgTrans {}}
diff --git a/tests/red.gif b/tests/red.gif
new file mode 100644
index 0000000..1d12ebb
--- /dev/null
+++ b/tests/red.gif
Binary files differ