[Image-SIG] buffer overflow in ImagingQuantize() when num cols >256
Richard Oudkerk
r.oudkerk at tiscali.co.uk
Sat Feb 5 23:25:59 CET 2005
The code
import Image
im = Image.open("Images/lena.jpg")
im = im.quantize(500)
causes a buffer overflow (and segfault) in the function
ImagingQuantize() (in the file "libImaging/Quant.c") because it tries to
copy 500*4 bytes into the palette of a "P" mode image (which only has
size 256*4 bytes).
Instead an "RGB" mode image should be returned when there are more
than 256 colours.
The following patch seems to make things work.
*** Quant.c Wed Oct 6 09:55:35 2004
--- libImaging/Quant.c Sat Feb 5 20:45:55 2005
***************
*** 1565,1570 ****
--- 1565,1583 ----
if (result) {
+ if (paletteLength > 256) {
+ imOut = ImagingNew("RGB", im->xsize, im->ysize);
+
+ for (i = y = 0; y < im->ysize; y++)
+ for (x=0; x < im->xsize; x++)
+ imOut->image32[y][x] = palette[newData[i++]].v;
+
+ free(newData);
+ free(palette);
+
+ return imOut;
+
+ } else {
imOut = ImagingNew("P", im->xsize, im->ysize);
for (i = y = 0; y < im->ysize; y++)
***************
*** 1592,1597 ****
--- 1605,1612 ----
return imOut;
+ }
+
} else {
return (Imaging) ImagingError_ValueError("quantization error");
Also in dict ImageColor.colormap the key "lightgrey" appears twice --
the first of these should be spelt with an "a"
*** ImageColor.py Sun Dec 12 17:26:52 2004
--- PIL/ImageColor.py Sat Feb 5 19:54:36 2005
***************
*** 184,190 ****
"lightcyan": "#e0ffff",
"lightgoldenrodyellow": "#fafad2",
"lightgreen": "#90ee90",
! "lightgrey": "#d3d3d3",
"lightgrey": "#d3d3d3",
"lightpink": "#ffb6c1",
"lightsalmon": "#ffa07a",
--- 184,190 ----
"lightcyan": "#e0ffff",
"lightgoldenrodyellow": "#fafad2",
"lightgreen": "#90ee90",
! "lightgray": "#d3d3d3",
"lightgrey": "#d3d3d3",
"lightpink": "#ffb6c1",
"lightsalmon": "#ffa07a",
More information about the Image-SIG
mailing list