Open karasovsky opened 6 days ago
While this can be thought of as a problem by looking at that C file in isolation, in the context of our library as a whole, images that say one of their dimensions is zero will be stopped at https://github.com/python-pillow/Pillow/blob/731bcda904544d9d26bce268eca3a5cb4fcc1c46/src/PIL/ImageFile.py#L154-L156
Even if you consider just the C decoding process, we have https://github.com/python-pillow/Pillow/blob/731bcda904544d9d26bce268eca3a5cb4fcc1c46/src/decode.c#L189-L192
Not saying we shouldn't fix it, merely pointing out that it should not occur in our normal operations.
... has SAST security issue
For future reference, please see our security policy on how to report potential security issues:
https://github.com/python-pillow/Pillow?tab=security-ov-file#readme
Hello!
According to the comments in _imaging.c thers is number of codecs, that must be replaced in PIL 1.2. But PIL development was discontinued 15 years ago.
One of this codecs has SAST security issue.
state->xsize
potentially be equal to zero, which will lead to division by zero exception inImagingFliDecode
. If this code is not used, I suggest remove it.Found by Linux Verification Center (linuxtesting.org) with SVACE. Reporter: Dmitriy Karasovsky (d.karasovsky@fobos-nt.ru).