From bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec Mon Sep 17 00:00:00 2001 From: wiredfool Date: Wed, 20 Jan 2016 22:37:28 +0000 Subject: [PATCH] FLI overflow error fix and testcase CVE-2016-0775 --- Tests/check_fli_overflow.py | 16 ++++++++++++++++ Tests/images/fli_overflow.fli | Bin 0 -> 4645 bytes libImaging/FliDecode.c | 2 +- 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 Tests/check_fli_overflow.py create mode 100644 Tests/images/fli_overflow.fli --- libImaging/FliDecode.c +++ libImaging/FliDecode.c @@ -185,7 +185,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) /* COPY chunk */ for (y = 0; y < state->ysize; y++) { UINT8* buf = (UINT8*) im->image[y]; - memcpy(buf+x, data, state->xsize); + memcpy(buf, data, state->xsize); data += state->xsize; } break;