Issue #24264: Fixed buffer overflow in the imageop module.

diff --git a/Lib/test/test_imageop.py b/Lib/test/test_imageop.py
index 31edbd12454bde2f1d66f16ea523662a06c52166..9589bf230ca3954bd679694c4200117f224ee584 100644 (file)
--- a/Lib/test/test_imageop.py
+++ b/Lib/test/test_imageop.py
@@ -61,7 +61,9 @@ class InputValidationTests(unittest.TestCase):
         self.check("rgb82rgb")
         self.check("rgb2grey")
         self.check("grey2rgb")
-
+        # Issue #24264: Buffer overflow
+        with self.assertRaises(imageop.error):
+            imageop.grey2rgb('A'*256, 1, 129)
 
 def test_main():
 

diff --git a/Misc/NEWS b/Misc/NEWS
index 1fd5f842051e25b4c87cc37e066dae426d88825b..4de6d0de4c01c51bbd54865dd9a1a83208583fb8 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -26,6 +26,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #24264: Fixed buffer overflow in the imageop module.
+
 - Issue #5633: Fixed timeit when the statement is a string and the setup is not.
 
 - Issue #24326: Fixed audioop.ratecv() with non-default weightB argument.

diff --git a/Modules/imageop.c b/Modules/imageop.c
index 8bd11b24c8a6dfc2e1f6e9b03c8271ccabf0ab21..b91f967eb2c5bd3c413d5380fb0a953799822d55 100644 (file)
--- a/Modules/imageop.c
+++ b/Modules/imageop.c
@@ -50,8 +50,11 @@ check_multiply_size(int product, int x, const char* xname, int y, const char* yn
         return 0;
     if ( !check_coordonnate(y, yname) )
         return 0;
-    if ( size == (product / y) / x )
-        return 1;
+    if ( product % y == 0 ) {
+        product /= y;
+        if ( product % x == 0 && size == product / x )
+            return 1;
+    }
     PyErr_SetString(ImageopError, "String has incorrect length");
     return 0;
 }