5.1.0-1ubuntu0.6 on bionic (python2) can fail on Parser.feed(data) due to OSError

Bug #1933983 reported by Tom Haddon
This bug affects 2 people
Affects Status Importance Assigned to Milestone
pillow (Ubuntu)

Bug Description

The python2 version of pillow in bionic (python-pil 5.1.0-1ubuntu0.6) included debian/patches/CVE-2021-28675.patch includes has the following:

--- a/src/PIL/ImageFile.py
+++ b/src/PIL/ImageFile.py
@@ -522,12 +522,18 @@ def _safe_read(fp, size):

     :param fp: File handle. Must implement a <b>read</b> method.
     :param size: Number of bytes to read.
- :returns: A string containing up to <i>size</i> bytes of data.
+ :returns: A string containing <i>size</i> bytes of data.
+ Raises an OSError if the file is truncated and the read can not be completed
     if size <= 0:
         return b""
     if size <= SAFEBLOCK:
- return fp.read(size)
+ data = fp.read(size)
+ if len(data) < size:
+ raise OSError("Truncated File Read")
+ return data
     data = []
     while size > 0:
         block = fp.read(min(size, SAFEBLOCK))
@@ -535,6 +541,8 @@ def _safe_read(fp, size):
         size -= len(block)
+ if sum(len(d) for d in data) < size:
+ raise OSError("Truncated File Read")
     return b"".join(data)

However, further up in the file in the `feed` method we have:

# attempt to open this file
    with io.BytesIO(self.data) as fp:
        im = Image.open(fp)
except IOError:
    # traceback.print_exc()
    pass # not enough data

In the python3 version of this file the IOError has already been changed to OSError but not so here.

In my local copy of /usr/lib/python2.7/dist-packages/PIL/ImageFile.py I've changed line 392 from `except IOError:` to `except (IOError, OSError):` and I can confirm this has fixed the issues I've been seeing since the release of 5.1.0-1ubuntu0.6 (tracebacks with `OSError("Truncated File Read")`).

I've tried running the test suite locally (with `make test`) to submit a patch, but I'm getting lots of unrelated failures in tests (missing pytest imports, file comparisons not matching, etc.). Happy to provide more detail on that if appropriate.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pillow (Ubuntu):
status: New → Confirmed
Revision history for this message
Tom Haddon (mthaddon) wrote :

This is still an issue with 5.1.0-1ubuntu0.7 of python-pil on bionic.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.