python-pillow/SOURCES/CVE-2022-22815_CVE-2022-22816.patch

70 lines
2.0 KiB
Diff
Raw Normal View History

2022-02-22 17:26:49 +00:00
diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
index 98a6d34..733fd29 100644
--- a/Tests/test_imagepath.py
+++ b/Tests/test_imagepath.py
@@ -67,6 +67,11 @@ class TestImagePath(PillowTestCase):
p = ImagePath.Path(arr.tostring())
self.assertEqual(list(p), [(0.0, 1.0)])
+ def test_getbbox(self):
+ for coords in (0,1):
+ p = ImagePath.Path(coords)
+ self.assertEqual(p.getbbox(), (0.0, 0.0, 0.0, 0.0))
+
def test_overflow_segfault(self):
# Some Pythons fail getting the argument as an integer, and it falls
# through to the sequence. Seeing this on 32-bit Windows.
diff --git a/src/path.c b/src/path.c
index eb1e065..5215f87 100644
--- a/src/path.c
+++ b/src/path.c
@@ -62,7 +62,7 @@ alloc_array(Py_ssize_t count)
PyErr_NoMemory();
return NULL;
}
- xy = malloc(2 * count * sizeof(double) + 1);
+ xy = calloc(2 * count + 1, sizeof(double));
if (!xy)
PyErr_NoMemory();
return xy;
@@ -330,18 +330,27 @@ path_getbbox(PyPathObject* self, PyObject* args)
xy = self->xy;
- x0 = x1 = xy[0];
- y0 = y1 = xy[1];
-
- for (i = 1; i < self->count; i++) {
- if (xy[i+i] < x0)
- x0 = xy[i+i];
- if (xy[i+i] > x1)
- x1 = xy[i+i];
- if (xy[i+i+1] < y0)
- y0 = xy[i+i+1];
- if (xy[i+i+1] > y1)
- y1 = xy[i+i+1];
+ if (self->count == 0) {
+ x0 = x1 = 0;
+ y0 = y1 = 0;
+ } else {
+ x0 = x1 = xy[0];
+ y0 = y1 = xy[1];
+
+ for (i = 1; i < self->count; i++) {
+ if (xy[i + i] < x0) {
+ x0 = xy[i + i];
+ }
+ if (xy[i + i] > x1) {
+ x1 = xy[i + i];
+ }
+ if (xy[i + i + 1] < y0) {
+ y0 = xy[i + i + 1];
+ }
+ if (xy[i + i + 1] > y1) {
+ y1 = xy[i + i + 1];
+ }
+ }
}
return Py_BuildValue("dddd", x0, y0, x1, y1);