PCD decoder overruns the shuffle buffer, Fixes #568

wiredfool · wiredfool · commit ae453aa18b66 · 2016-02-02T05:46:26.000-08:00
diff --git a/Tests/images/hopper.pcd b/Tests/images/hopper.pcd
diff --git a/Tests/test_file_pcd.py b/Tests/test_file_pcd.py
@@ -0,0 +1,18 @@
+from helper import unittest, PillowTestCase, hopper
+from PIL import Image
+
+class TestFilePcd(PillowTestCase):
+
+    def test_load_raw(self):
+        im = Image.open('Tests/images/hopper.pcd')
+        im.load() # should not segfault.
+
+        # Note that this image was created with a resized hopper
+        # image, which was then converted to pcd with imagemagick
+        # and the colors are wonky in Pillow.  It's unclear if this
+        # is a pillow or a convert issue, as other images not generated
+        # from convert look find on pillow and not imagemagick.
+        
+        #target = hopper().resize((768,512))
+        #self.assert_image_similar(im, target, 10)
+
diff --git a/libImaging/PcdDecode.c b/libImaging/PcdDecode.c
@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
 	    out[0] = ptr[x];
 	    out[1] = ptr[(x+4*state->xsize)/2];
 	    out[2] = ptr[(x+5*state->xsize)/2];
-	    out += 4;
+	    out += 3;
 	}
 
 	state->shuffle((UINT8*) im->image[state->y],
@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
 	    out[0] = ptr[x+state->xsize];
 	    out[1] = ptr[(x+4*state->xsize)/2];
 	    out[2] = ptr[(x+5*state->xsize)/2];
-	    out += 4;
+	    out += 3;
 	}
 
 	state->shuffle((UINT8*) im->image[state->y],
