Add patch to fix memory corruption

2013-08-28 20:53:27 +02:00 · 2013-08-28 20:53:27 +02:00 · 979b61e67c
commit 979b61e67c
parent d65f67c4d2
2 changed files with 44 additions and 1 deletions
--- a/python-pillow.spec
+++ b/python-pillow.spec
@ -25,7 +25,7 @@

 Name:           python-pillow
 Version:        2.1.0
-Release:        2%{?snap}%{?dist}
+Release:        3%{?snap}%{?dist}
 Summary:        Python image processing library

 # License: see http://www.pythonware.com/products/pil/license.htm
@ -38,6 +38,8 @@ Source0:        https://github.com/python-imaging/Pillow/tarball/%{commit}/pytho

 # Add s390* and ppc* archs
 Patch0:         python-pillow-archs.patch
+# Fix memory corruption caused by incorrect palette size
+Patch1:         python-pillow_bytearray.patch$

 BuildRequires:  python2-devel
 BuildRequires:  python-setuptools
@ -207,6 +209,7 @@ PIL image wrapper for Qt.
 %prep
 %setup -q -n python-imaging-Pillow-%{shortcommit}
 %patch0 -p1 -b .archs
+%patch1 -p1 -b .bytes

 %if %{with_python3}
 # Create Python 3 source tree
@ -358,6 +361,9 @@ popd
 %endif

 %changelog
+* Wed Aug 28 2013 Sandro Mani <manisandro@gmail.com> - 2.1.0-3
+- Add patch to fix memory corruption caused by invalid palette size, see rhbz#1001122
+
 * Tue Jul 30 2013 Karsten Hopp <karsten@redhat.com> 2.1.0-2
 - Build without webp support on ppc* archs (#988767)

--- a/python-pillow_bytearray.patch
+++ b/python-pillow_bytearray.patch
@ -0,0 +1,37 @@
+diff --git a/PIL/Image.py b/PIL/Image.py
+index cafc5a2..794ee49 100644
+--- a/PIL/Image.py
+++ b/PIL/Image.py
+@@ -718,7 +718,7 @@ class Image:
+         if self.mode == "L" and mode == "RGBA" and "transparency" in self.info:
+             from PIL import ImagePalette
+             self.mode = "P"
+-            bytePalette = bytes([i//3 for i in range(768)])
+            bytePalette = bytes(bytearray([i//3 for i in range(768)]))
+             self.palette = ImagePalette.raw("RGB", bytePalette)
+             self.palette.dirty = 1
+             self.load()
+diff --git a/_imaging.c b/_imaging.c
+index 2ee7eef..6ec7346 100644
+--- a/_imaging.c
+++ b/_imaging.c
+@@ -286,6 +286,7 @@ static const char* wrong_mode = "unrecognized image mode";
+ static const char* wrong_raw_mode = "unrecognized raw mode";
+ static const char* outside_image = "image index out of range";
+ static const char* outside_palette = "palette index out of range";
+static const char* wrong_palette_size = "invalid palette size";
+ static const char* no_palette = "image has no palette";
+ static const char* readonly = "image is readonly";
+ /* static const char* no_content = "image has no content"; */
+@@ -1412,6 +1413,11 @@ _putpalette(ImagingObject* self, PyObject* args)
+     return NULL;
+     }
+ 
+    if ( palettesize * 8 / bits > 256) {
+    PyErr_SetString(PyExc_ValueError, wrong_palette_size);
+    return NULL;
+    }
+
+     ImagingPaletteDelete(self->image->palette);
+ 
+     strcpy(self->image->mode, "P");