MNT: protect from out-of-bounds data access at the c level

tacaswell · tacaswell · commit e50cd5b3da92 · 2019-06-06T22:38:30.000-04:00
As suggested by @cgohlke
diff --git a/lib/matplotlib/tests/test_backend_tk.py b/lib/matplotlib/tests/test_backend_tk.py
@@ -0,0 +1,30 @@
+import pytest
+import numpy as np
+from matplotlib import pyplot as plt
+from matplotlib.backends import _tkagg
+
+
+@pytest.mark.backend('TkAgg')
+def test_blit():
+    def evil_blit(photoimage, aggimage, offsets, bboxptr):
+        data = np.asarray(aggimage)
+        height, width = data.shape[:2]
+        dataptr = (height, width, data.ctypes.data)
+        _tkagg.blit(
+            photoimage.tk.interpaddr(), str(photoimage), dataptr, offsets,
+            bboxptr)
+
+    fig, ax = plt.subplots()
+    for bad_boxes in ((-1, 2, 0, 2),
+                      (2, 0, 0, 2),
+                      (1, 6, 0, 2),
+                      (0, 2, -1, 2),
+                      (0, 2, 2, 0),
+                      (0, 2, 1, 6),
+    ):
+        with pytest.raises(ValueError):
+            print(bad_boxes)
+            evil_blit(fig.canvas._tkphoto,
+                      np.ones((4, 4, 4)),
+                      (0, 1, 2, 3),
+                      bad_boxes)
diff --git a/src/_tkagg.cpp b/src/_tkagg.cpp
@@ -67,6 +67,12 @@ static PyObject *mpl_tk_blit(PyObject *self, PyObject *args)
         PyErr_SetString(PyExc_ValueError, "Failed to extract Tk_PhotoHandle");
         goto exit;
     }
+    if (0 > y1 || y1 > y2 || y2 > height ||
+        0 > x1 || x1 > x2 || x2 > width ) {
+        PyErr_SetString(PyExc_ValueError, "Attempting to draw out of bounds");
+        goto exit;
+    }
+
     block.pixelPtr = data_ptr + 4 * ((height - y2) * width + x1);
     block.width = x2 - x1;
     block.height = y2 - y1;
