Fix Memory DOS in ImageFont

wiredfool · hugovk · commit ba65f0b08ee8 · 2021-04-01T17:17:27.000+03:00
* A corrupt or specially crafted TTF font could have font metrics that
  lead to unreasonably large sizes when rendering text in
  font. ImageFont.py did not check the image size before allocating
  memory for it.
* Found with oss-fuzz
* This dates from the PIL fork
diff --git a/Tests/fonts/oom-e8e927ba6c0d38274a37c1567560eb33baf74627.ttf b/Tests/fonts/oom-e8e927ba6c0d38274a37c1567560eb33baf74627.ttf
diff --git a/Tests/test_imagefont.py b/Tests/test_imagefont.py
@@ -997,3 +997,16 @@ def fake_version_module(module):
     # Act / Assert
     with pytest.warns(DeprecationWarning):
         ImageFont.truetype(FONT_PATH, FONT_SIZE)
+
+
+@pytest.mark.parametrize(
+    "test_file",
+    [
+        "Tests/fonts/oom-e8e927ba6c0d38274a37c1567560eb33baf74627.ttf",
+    ],
+)
+def test_oom(test_file):
+    with open(test_file, "rb") as f:
+        font = ImageFont.truetype(BytesIO(f.read()))
+        with pytest.raises(Image.DecompressionBombError):
+            font.getmask("Test Text")
diff --git a/src/PIL/ImageFont.py b/src/PIL/ImageFont.py
@@ -669,6 +669,7 @@ def getmask2(
         )
         size = size[0] + stroke_width * 2, size[1] + stroke_width * 2
         offset = offset[0] - stroke_width, offset[1] - stroke_width
+        Image._decompression_bomb_check(size)
         im = fill("RGBA" if mode == "RGBA" else "L", size, 0)
         self.font.render(
             text, im.id, mode, direction, features, language, stroke_width, ink

Original file line number	Diff line number	Diff line change
`@@ -669,6 +669,7 @@ def getmask2(`
`669`	`669`	`)`
`670`	`670`	`size = size[0] + stroke_width * 2, size[1] + stroke_width * 2`
`671`	`671`	`offset = offset[0] - stroke_width, offset[1] - stroke_width`
	`672`	`+ Image._decompression_bomb_check(size)`
`672`	`673`	`im = fill("RGBA" if mode == "RGBA" else "L", size, 0)`
`673`	`674`	`self.font.render(`
`674`	`675`	`text, im.id, mode, direction, features, language, stroke_width, ink`