#4317: Fix an Array Bounds Read in imageop.rgb2rgb8.

amaury.forgeotdarc · amaury.forgeotdarc · commit bd7299b6780b · 2008-11-18T22:19:37.000Z
Will backport to 2.4. git-svn-id: http://svn.python.org/projects/python/trunk@67266 6015fed2-1504-0410-9fe1-9d1591cc4771
diff --git a/Lib/test/test_imageop.py b/Lib/test/test_imageop.py
@@ -15,6 +15,7 @@
 _VALUES = (1, 2, 2**10, 2**15-1, 2**15, 2**15+1, 2**31-2, 2**31-1)
 VALUES = tuple( -x for x in reversed(_VALUES) ) + (0,) + _VALUES
 AAAAA = "A" * 1024
+MAX_LEN = 2**20
 
 
 class InputValidationTests(unittest.TestCase):
@@ -26,7 +27,7 @@ def _check(self, name, size=None, *extra):
                 strlen = abs(width * height)
                 if size:
                     strlen *= size
-                if strlen < 1024:
+                if strlen < MAX_LEN:
                     data = "A" * strlen
                 else:
                     data = AAAAA
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -12,6 +12,8 @@ What's New in Python 2.7 alpha 1
 Core and Builtins
 -----------------
 
+- Issue #4317: Fixed a crash in the imageop.rgb2rgb8() function.
+
 - Issue #4230: If ``__getattr__`` is a descriptor, it now functions correctly.
 
 - Issue #4048: The parser module now correctly validates relative imports.
diff --git a/Modules/imageop.c b/Modules/imageop.c
@@ -590,7 +590,7 @@ imageop_rgb2rgb8(PyObject *self, PyObject *args)
 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
 		return 0;
 
-	if ( !check_multiply_size(len*4, x, "x", y, "y", 4) )
+	if ( !check_multiply_size(len, x, "x", y, "y", 4) )
 		return 0;
 	nlen = x*y;
 	if ( !check_multiply(nlen, x, y) )
