import python-pillow-5.1.1-18.el8_5

This commit is contained in:
CentOS Sources 2022-02-22 12:26:49 -05:00 committed by Stepan Oksanichenko
parent 6f74b40d18
commit 348a191152
3 changed files with 134 additions and 1 deletions

View File

@ -0,0 +1,69 @@
diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
index 98a6d34..733fd29 100644
--- a/Tests/test_imagepath.py
+++ b/Tests/test_imagepath.py
@@ -67,6 +67,11 @@ class TestImagePath(PillowTestCase):
p = ImagePath.Path(arr.tostring())
self.assertEqual(list(p), [(0.0, 1.0)])
+ def test_getbbox(self):
+ for coords in (0,1):
+ p = ImagePath.Path(coords)
+ self.assertEqual(p.getbbox(), (0.0, 0.0, 0.0, 0.0))
+
def test_overflow_segfault(self):
# Some Pythons fail getting the argument as an integer, and it falls
# through to the sequence. Seeing this on 32-bit Windows.
diff --git a/src/path.c b/src/path.c
index eb1e065..5215f87 100644
--- a/src/path.c
+++ b/src/path.c
@@ -62,7 +62,7 @@ alloc_array(Py_ssize_t count)
PyErr_NoMemory();
return NULL;
}
- xy = malloc(2 * count * sizeof(double) + 1);
+ xy = calloc(2 * count + 1, sizeof(double));
if (!xy)
PyErr_NoMemory();
return xy;
@@ -330,18 +330,27 @@ path_getbbox(PyPathObject* self, PyObject* args)
xy = self->xy;
- x0 = x1 = xy[0];
- y0 = y1 = xy[1];
-
- for (i = 1; i < self->count; i++) {
- if (xy[i+i] < x0)
- x0 = xy[i+i];
- if (xy[i+i] > x1)
- x1 = xy[i+i];
- if (xy[i+i+1] < y0)
- y0 = xy[i+i+1];
- if (xy[i+i+1] > y1)
- y1 = xy[i+i+1];
+ if (self->count == 0) {
+ x0 = x1 = 0;
+ y0 = y1 = 0;
+ } else {
+ x0 = x1 = xy[0];
+ y0 = y1 = xy[1];
+
+ for (i = 1; i < self->count; i++) {
+ if (xy[i + i] < x0) {
+ x0 = xy[i + i];
+ }
+ if (xy[i + i] > x1) {
+ x1 = xy[i + i];
+ }
+ if (xy[i + i + 1] < y0) {
+ y0 = xy[i + i + 1];
+ }
+ if (xy[i + i + 1] > y1) {
+ y1 = xy[i + i + 1];
+ }
+ }
}
return Py_BuildValue("dddd", x0, y0, x1, y1);

View File

@ -0,0 +1,41 @@
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
index 2329b74..d3b7ba3 100644
--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
@@ -58,6 +58,12 @@ class TestImageMath(PillowTestCase):
self.assertEqual(pixel(
ImageMath.eval("float(B)**33", images)), "F 8589934592.0")
+ def test_prevent_exec(self):
+ self.assertRaises(ValueError, ImageMath.eval("exec('pass')"))
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
+
+
def test_logical(self):
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index c5bea70..13839e4 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -263,7 +263,18 @@ def eval(expression, _dict={}, **kw):
if hasattr(v, "im"):
args[k] = _Operand(v)
- out = builtins.eval(expression, args)
+ compiled_code = compile(expression, "<string>", "eval")
+ def scan(code):
+ for const in code.co_consts:
+ if type(const) == type(compiled_code):
+ scan(const)
+
+ for name in code.co_names:
+ if name not in args and name != "abs":
+ raise ValueError(f"'{name}' not allowed")
+
+ scan(compiled_code)
+ out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
try:
return out.im
except AttributeError:

View File

@ -8,7 +8,7 @@
Name: python-%{srcname}
Version: 5.1.1
Release: 16%{?dist}
Release: 18%{?dist}
Summary: Python image processing library
# License: see http://www.pythonware.com/products/pil/license.htm
@ -99,6 +99,20 @@ Patch17: CVE-2021-28678.patch
# Upstream fix: https://github.com/python-pillow/Pillow/pull/5567
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1982378
Patch18: CVE-2021-34552.patch
# CVE-2022-22817: PIL.ImageMath.eval allows evaluation of arbitrary expressions
# Upstream fixes:
# https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11
# https://github.com/python-pillow/Pillow/commit/f84ab3bb8a0a196a52e8a76bebed2853362629de
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2042527
Patch19: CVE-2022-22817.patch
# CVE-2022-22815 python-pillow: improperly initializes ImagePath.Path in path_getbbox() in path.c
# CVE-2022-22816 python-pillow: buffer over-read during initialization of ImagePath.Path in path_getbbox() in path.c
# Upstream fix: https://github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31f
# Memory issue fix: https://github.com/python-pillow/Pillow/pull/5958
# Tracking bugs:
# https://bugzilla.redhat.com/show_bug.cgi?id=2042511
# https://bugzilla.redhat.com/show_bug.cgi?id=2042522
Patch20: CVE-2022-22815_CVE-2022-22816.patch
BuildRequires: freetype-devel
BuildRequires: gcc
@ -243,6 +257,15 @@ popd
%changelog
* Fri Feb 11 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-18
- Fixup for CVE-2022-22817
- Security fixes for CVE-2022-22815, CVE-2022-22816
Resolves: rhbz#2042522
* Fri Feb 04 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-17
- Fix for CVE-2022-22817
Resolves: rhbz#2042527
* Mon Aug 02 2021 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-16
- Fix for CVE-2021-34552
Resolves: rhbz#1982378