Merge pull request #7235 from radarhere/decompression_bomb_check

Limit size even if one dimension is zero in decompression bomb check
python-pillow · Jun 28, 2023 · e5188f6 · e5188f6
2 parents 4834f80 + 8437d98
commit e5188f6
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 2 deletions.
diff --git a/Tests/images/zero_width.gif b/Tests/images/zero_width.gif
diff --git a/Tests/test_decompression_bomb.py b/Tests/test_decompression_bomb.py
@@ -64,6 +64,15 @@ def test_exception_gif_extents(self):
             with pytest.raises(Image.DecompressionBombError):
                 im.seek(1)
 
+    def test_exception_gif_zero_width(self):
+        # Set limit to trigger exception on the test file
+        Image.MAX_IMAGE_PIXELS = 4 * 64 * 128
+        assert Image.MAX_IMAGE_PIXELS == 4 * 64 * 128
+
+        with pytest.raises(Image.DecompressionBombError):
+            with Image.open("Tests/images/zero_width.gif"):
+                pass
+
     def test_exception_bmp(self):
         with pytest.raises(Image.DecompressionBombError):
             with Image.open("Tests/images/bmp/b/reallybig.bmp"):

diff --git a/src/PIL/Image.py b/src/PIL/Image.py
@@ -3141,7 +3141,7 @@ def _decompression_bomb_check(size):
     if MAX_IMAGE_PIXELS is None:
         return
 
-    pixels = size[0] * size[1]
+    pixels = max(1, size[0]) * max(1, size[1])
 
     if pixels > 2 * MAX_IMAGE_PIXELS:
         msg = (

diff --git a/src/_imagingft.c b/src/_imagingft.c
@@ -880,7 +880,7 @@ font_render(FontObject *self, PyObject *args) {
     width += stroke_width * 2 + ceil(x_start);
     height += stroke_width * 2 + ceil(y_start);
     if (max_image_pixels != Py_None) {
-        if ((long long)width * height > PyLong_AsLongLong(max_image_pixels) * 2) {
+        if ((long long)(width > 1 ? width : 1) * (height > 1 ? height : 1) > PyLong_AsLongLong(max_image_pixels) * 2) {
             PyMem_Del(glyph_info);
             return Py_BuildValue("O(ii)(ii)", Py_None, width, height, 0, 0);
         }