Unused code in FliDecode.c and _imaging.c has SAST security issue

[karasovsky]

Hello!

According to the comments in _imaging.c thers is number of codecs, that must be replaced in PIL 1.2. But PIL development was discontinued 15 years ago.

One of this codecs has SAST security issue.

state->xsize potentially be equal to zero, which will lead to division by zero exception in ImagingFliDecode. If this code is not used, I suggest remove it.

Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reporter: Dmitriy Karasovsky ([email protected]).

[radarhere]

While this can be thought of as a problem by looking at that C file in isolation,
in the context of our library as a whole, images that say one of their dimensions is zero will be stopped at

Pillow/src/PIL/ImageFile.py

Lines 154 to 156 in 731bcda

	if not self.mode or self.size[0] <= 0 or self.size[1] <= 0:
	msg = "not identified by this driver"
	raise SyntaxError(msg)

Even if you consider just the C decoding process, we have

Pillow/src/decode.c

Lines 189 to 192 in 731bcda

	if (state->xsize <= 0 || state->xsize + state->xoff > (int)im->xsize ||
	state->ysize <= 0 || state->ysize + state->yoff > (int)im->ysize) {
	PyErr_SetString(PyExc_ValueError, "tile cannot extend outside image");
	return NULL;

Not saying we shouldn't fix it, merely pointing out that it should not occur in our normal operations.

[radarhere]

#8406 and #8408 have been created as possible ways to alleviate this concern.

[hugovk]

... has SAST security issue

For future reference, please see our security policy on how to report potential security issues:

https://github.com/python-pillow/Pillow?tab=security-ov-file#readme