What did you do?
We (@DogukanK, @esraercann) discovered a 3 crashes in Python Pillow library because of 'Uncaught Exception' via specially crafted input.
What did you expect to happen?
Exceptions should be handled properly in Pillow.
What actually happened?
Crash.
- Here is the first crash log:
=== Uncaught Python exception: ===
error: argument out of range
Traceback (most recent call last):
File "/home/ubuntu/targets/pillow/main.py", line 20, in TestOneInput
pilfuzz(data)
File "/home/ubuntu/targets/pillow/main.py", line 11, in pilfuzz
out = im.transpose(Image.Transpose.FLIP_LEFT_RIGHT)
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/Image.py", line 2807, in transpose
def transpose(self, method):
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/ImageFile.py", line 266, in load
err_code = decoder.decode(b"")[1]
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/PpmImagePlugin.py", line 273, in decode
data = self._decode_blocks(maxval)
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/PpmImagePlugin.py", line 261, in _decode_blocks
data += o32(value) if self.mode == "I" else o8(value)
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/_binary.py", line 93, in o32le
def o32le(i: int) -> bytes:
error: argument out of range
Poc:
>>> from PIL import Image
>>> im = Image.open("./crash-4148ce4324e2e54cc3c2c6aa369420ddbd9dee5e")
>>> im.transpose(Image.Transpose.FLIP_LEFT_RIGHT)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/Image.py", line 2818, in transpose
self.load()
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/ImageFile.py", line 266, in load
err_code = decoder.decode(b"")[1]
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/PpmImagePlugin.py", line 273, in decode
data = self._decode_blocks(maxval)
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/PpmImagePlugin.py", line 261, in _decode_blocks
data += o32(value) if self.mode == "I" else o8(value)
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/_binary.py", line 94, in o32le
return pack("<I", i)
struct.error: argument out of range
- Here is the second crash:
>>> from PIL import Image, ImageFilter
>>> im = Image.open("./crash-73c3d4dca546775e83ea511a0fc882f3c5b6f60a")
>>> im.filter(ImageFilter.DETAIL)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/Image.py", line 1281, in filter
self.load()
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/GbrImagePlugin.py", line 94, in load
self.frombytes(self.fp.read(self._data_size))
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/Image.py", line 810, in frombytes
d.setimage([self.im](http://self.im/))
MemoryError=== Uncaught Python exception: ===
OverflowError: Python int too large to convert to C ssize_t
Traceback (most recent call last):
File "/home/ubuntu/targets/pillow/main.py", line 16, in TestOneInput
pilfuzz(data)
File "/home/ubuntu/targets/pillow/main.py", line 10, in pilfuzz
with Image.open(io.BytesIO(data)) as im:
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/Image.py", line 3258, in open
preinit()
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/Image.py", line 3273, in _open_core
fp.seek(0)
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/TiffImagePlugin.py", line 1082, in __init__
super().__init__(fp, filename)
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/ImageFile.py", line 137, in __init__
self._open()
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/TiffImagePlugin.py", line 1109, in _open
self._seek(0)
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/TiffImagePlugin.py", line 1150, in _seek
self.fp.seek(self.__next)
OverflowError: Python int too large to convert to C ssize_tPoC:
Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from PIL import Image
>>> im = Image.open("./crash-ecd6f7d1583338a2a2c4aaee944b0b3371f4f926")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/Image.py", line 3293, in open
im = _open_core(
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/Image.py", line 3274, in _open_core
im = factory(fp, filename)
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/TiffImagePlugin.py", line 1082, in __init__
super().__init__(fp, filename)
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/ImageFile.py", line 137, in __init__
self._open()
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/TiffImagePlugin.py", line 1109, in _open
self._seek(0)
File "/home/ubuntu/.local/lib/python3.10/site-packages/PIL/TiffImagePlugin.py", line 1150, in _seek
self.fp.seek(self.__next)
ValueError: cannot fit 'int' into an offset-sized integerWhat are your OS, Python and Pillow versions?
- Python3 Version: Python 3.10.12
- PIL Version: 10.2.0
- OS: Ubuntu 22.04.3 LTS 5.15.0-84-generic x86/64
Crash Files
Archive.zip
What did you do?
We (@DogukanK, @esraercann) discovered a 3 crashes in Python Pillow library because of 'Uncaught Exception' via specially crafted input.
What did you expect to happen?
Exceptions should be handled properly in Pillow.
What actually happened?
Crash.
Poc:
PoC:
What are your OS, Python and Pillow versions?
Crash Files
Archive.zip