import python-pillow-5.1.1-15.el8
This commit is contained in:
parent
10f28418dc
commit
bd916774b2
|
@ -0,0 +1,130 @@
|
||||||
|
From 9c781aa2020eef838284dcb348f4528f3c3cc1ab Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Mon, 14 Jun 2021 09:06:07 +0200
|
||||||
|
Subject: [PATCH 1/5] CVE-2021-25287_25288
|
||||||
|
|
||||||
|
---
|
||||||
|
src/libImaging/Jpeg2KDecode.c | 78 +++++++++++++++++++++++++++--------
|
||||||
|
1 file changed, 61 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c
|
||||||
|
index 9140e00..fdbd0c0 100644
|
||||||
|
--- a/src/libImaging/Jpeg2KDecode.c
|
||||||
|
+++ b/src/libImaging/Jpeg2KDecode.c
|
||||||
|
@@ -110,6 +110,7 @@ j2ku_gray_l(opj_image_t *in, const JPEG2KTILEINFO *tileinfo,
|
||||||
|
if (shift < 0)
|
||||||
|
offset += 1 << (-shift - 1);
|
||||||
|
|
||||||
|
+ /* csiz*h*w + offset = tileinfo.datasize */
|
||||||
|
switch (csiz) {
|
||||||
|
case 1:
|
||||||
|
for (y = 0; y < h; ++y) {
|
||||||
|
@@ -557,8 +558,10 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
||||||
|
opj_dparameters_t params;
|
||||||
|
OPJ_COLOR_SPACE color_space;
|
||||||
|
j2k_unpacker_t unpack = NULL;
|
||||||
|
- size_t buffer_size = 0;
|
||||||
|
- unsigned n;
|
||||||
|
+ size_t buffer_size = 0, tile_bytes = 0;
|
||||||
|
+ unsigned n, tile_height, tile_width;
|
||||||
|
+ int total_component_width = 0;
|
||||||
|
+
|
||||||
|
|
||||||
|
stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);
|
||||||
|
|
||||||
|
@@ -703,8 +706,62 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
||||||
|
tile_info.x1 = (tile_info.x1 + correction) >> context->reduce;
|
||||||
|
tile_info.y1 = (tile_info.y1 + correction) >> context->reduce;
|
||||||
|
|
||||||
|
+ /* Check the tile bounds; if the tile is outside the image area,
|
||||||
|
+ or if it has a negative width or height (i.e. the coordinates are
|
||||||
|
+ swapped), bail. */
|
||||||
|
+ if (tile_info.x0 >= tile_info.x1
|
||||||
|
+ || tile_info.y0 >= tile_info.y1
|
||||||
|
+ || tile_info.x0 < image->x0
|
||||||
|
+ || tile_info.y0 < image->y0
|
||||||
|
+ || tile_info.x1 - image->x0 > im->xsize
|
||||||
|
+ || tile_info.y1 - image->y0 > im->ysize) {
|
||||||
|
+ state->errcode = IMAGING_CODEC_BROKEN;
|
||||||
|
+ state->state = J2K_STATE_FAILED;
|
||||||
|
+ goto quick_exit;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (tile_info.nb_comps != image->numcomps) {
|
||||||
|
+ state->errcode = IMAGING_CODEC_BROKEN;
|
||||||
|
+ state->state = J2K_STATE_FAILED;
|
||||||
|
+ goto quick_exit;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Sometimes the tile_info.datasize we get back from openjpeg
|
||||||
|
+ is less than sum(comp_bytes)*w*h, and we overflow in the
|
||||||
|
+ shuffle stage */
|
||||||
|
+
|
||||||
|
+ tile_width = tile_info.x1 - tile_info.x0;
|
||||||
|
+ tile_height = tile_info.y1 - tile_info.y0;
|
||||||
|
+
|
||||||
|
+ /* Total component width = sum (component_width) e.g, it's
|
||||||
|
+ legal for an la file to have a 1 byte width for l, and 4 for
|
||||||
|
+ a. and then a malicious file could have a smaller tile_bytes
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ for (n=0; n < tile_info.nb_comps; n++) {
|
||||||
|
+ // see csize /acsize calcs
|
||||||
|
+ int csize = (image->comps[n].prec + 7) >> 3;
|
||||||
|
+ csize = (csize == 3) ? 4 : csize;
|
||||||
|
+ total_component_width += csize;
|
||||||
|
+ }
|
||||||
|
+ if ((tile_width > UINT_MAX / total_component_width) ||
|
||||||
|
+ (tile_height > UINT_MAX / total_component_width) ||
|
||||||
|
+ (tile_width > UINT_MAX / (tile_height * total_component_width)) ||
|
||||||
|
+ (tile_height > UINT_MAX / (tile_width * total_component_width))) {
|
||||||
|
+
|
||||||
|
+ state->errcode = IMAGING_CODEC_BROKEN;
|
||||||
|
+ state->state = J2K_STATE_FAILED;
|
||||||
|
+ goto quick_exit;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ tile_bytes = tile_width * tile_height * total_component_width;
|
||||||
|
+
|
||||||
|
+ if (tile_bytes > tile_info.data_size) {
|
||||||
|
+ tile_info.data_size = tile_bytes;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (buffer_size < tile_info.data_size) {
|
||||||
|
- /* malloc check ok, tile_info.data_size from openjpeg */
|
||||||
|
+ /* malloc check ok, overflow and tile size sanity check above */
|
||||||
|
UINT8 *new = realloc (state->buffer, tile_info.data_size);
|
||||||
|
if (!new) {
|
||||||
|
state->errcode = IMAGING_CODEC_MEMORY;
|
||||||
|
@@ -715,6 +772,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
||||||
|
buffer_size = tile_info.data_size;
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
if (!opj_decode_tile_data(codec,
|
||||||
|
tile_info.tile_index,
|
||||||
|
(OPJ_BYTE *)state->buffer,
|
||||||
|
@@ -725,20 +783,6 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
||||||
|
goto quick_exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Check the tile bounds; if the tile is outside the image area,
|
||||||
|
- or if it has a negative width or height (i.e. the coordinates are
|
||||||
|
- swapped), bail. */
|
||||||
|
- if (tile_info.x0 >= tile_info.x1
|
||||||
|
- || tile_info.y0 >= tile_info.y1
|
||||||
|
- || tile_info.x0 < image->x0
|
||||||
|
- || tile_info.y0 < image->y0
|
||||||
|
- || tile_info.x1 - image->x0 > im->xsize
|
||||||
|
- || tile_info.y1 - image->y0 > im->ysize) {
|
||||||
|
- state->errcode = IMAGING_CODEC_BROKEN;
|
||||||
|
- state->state = J2K_STATE_FAILED;
|
||||||
|
- goto quick_exit;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
unpack(image, &tile_info, state->buffer, im);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
|
@ -0,0 +1,146 @@
|
||||||
|
From 7fe3dff241c11206616bf6229be898854ce0d066 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Mon, 14 Jun 2021 11:33:36 +0200
|
||||||
|
Subject: [PATCH] CVE-2021-28675
|
||||||
|
|
||||||
|
---
|
||||||
|
src/PIL/ImageFile.py | 12 ++++++++++--
|
||||||
|
src/PIL/PsdImagePlugin.py | 33 +++++++++++++++++++++++----------
|
||||||
|
2 files changed, 33 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/PIL/ImageFile.py b/src/PIL/ImageFile.py
|
||||||
|
index 1a3c4aa..2cef9ee 100644
|
||||||
|
--- a/src/PIL/ImageFile.py
|
||||||
|
+++ b/src/PIL/ImageFile.py
|
||||||
|
@@ -522,12 +522,18 @@ def _safe_read(fp, size):
|
||||||
|
|
||||||
|
:param fp: File handle. Must implement a <b>read</b> method.
|
||||||
|
:param size: Number of bytes to read.
|
||||||
|
- :returns: A string containing up to <i>size</i> bytes of data.
|
||||||
|
+ :returns: A string containing <i>size</i> bytes of data.
|
||||||
|
+
|
||||||
|
+ Raises an OSError if the file is truncated and the read can not be completed
|
||||||
|
+
|
||||||
|
"""
|
||||||
|
if size <= 0:
|
||||||
|
return b""
|
||||||
|
if size <= SAFEBLOCK:
|
||||||
|
- return fp.read(size)
|
||||||
|
+ data = fp.read(size)
|
||||||
|
+ if len(data) < size:
|
||||||
|
+ raise OSError("Truncated File Read")
|
||||||
|
+ return data
|
||||||
|
data = []
|
||||||
|
while size > 0:
|
||||||
|
block = fp.read(min(size, SAFEBLOCK))
|
||||||
|
@@ -535,6 +541,8 @@ def _safe_read(fp, size):
|
||||||
|
break
|
||||||
|
data.append(block)
|
||||||
|
size -= len(block)
|
||||||
|
+ if sum(len(d) for d in data) < size:
|
||||||
|
+ raise OSError("Truncated File Read")
|
||||||
|
return b"".join(data)
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py
|
||||||
|
index fe2a2ff..add9996 100644
|
||||||
|
--- a/src/PIL/PsdImagePlugin.py
|
||||||
|
+++ b/src/PIL/PsdImagePlugin.py
|
||||||
|
@@ -18,6 +18,8 @@
|
||||||
|
|
||||||
|
__version__ = "0.4"
|
||||||
|
|
||||||
|
+import io
|
||||||
|
+
|
||||||
|
from . import Image, ImageFile, ImagePalette
|
||||||
|
from ._binary import i8, i16be as i16, i32be as i32
|
||||||
|
|
||||||
|
@@ -114,7 +116,8 @@ class PsdImageFile(ImageFile.ImageFile):
|
||||||
|
end = self.fp.tell() + size
|
||||||
|
size = i32(read(4))
|
||||||
|
if size:
|
||||||
|
- self.layers = _layerinfo(self.fp)
|
||||||
|
+ _layer_data = io.BytesIO(ImageFile._safe_read(self.fp, size))
|
||||||
|
+ self.layers = _layerinfo(_layer_data, size)
|
||||||
|
self.fp.seek(end)
|
||||||
|
|
||||||
|
#
|
||||||
|
@@ -164,11 +167,20 @@ class PsdImageFile(ImageFile.ImageFile):
|
||||||
|
Image.Image.load(self)
|
||||||
|
|
||||||
|
|
||||||
|
-def _layerinfo(file):
|
||||||
|
+def _layerinfo(fp, ct_bytes):
|
||||||
|
# read layerinfo block
|
||||||
|
layers = []
|
||||||
|
- read = file.read
|
||||||
|
- for i in range(abs(i16(read(2)))):
|
||||||
|
+
|
||||||
|
+ def read(size):
|
||||||
|
+ return ImageFile._safe_read(fp, size)
|
||||||
|
+
|
||||||
|
+ ct = i16(read(2))
|
||||||
|
+
|
||||||
|
+ # sanity check
|
||||||
|
+ if ct_bytes < (abs(ct) * 20):
|
||||||
|
+ raise SyntaxError("Layer block too short for number of layers requested")
|
||||||
|
+
|
||||||
|
+ for i in range(abs(ct)):
|
||||||
|
|
||||||
|
# bounding box
|
||||||
|
y0 = i32(read(4))
|
||||||
|
@@ -179,7 +191,8 @@ def _layerinfo(file):
|
||||||
|
# image info
|
||||||
|
info = []
|
||||||
|
mode = []
|
||||||
|
- types = list(range(i16(read(2))))
|
||||||
|
+ ct_types = i16(read(2))
|
||||||
|
+ types = list(range(ct_types))
|
||||||
|
if len(types) > 4:
|
||||||
|
continue
|
||||||
|
|
||||||
|
@@ -212,7 +225,7 @@ def _layerinfo(file):
|
||||||
|
size = i32(read(4)) # length of the extra data field
|
||||||
|
combined = 0
|
||||||
|
if size:
|
||||||
|
- data_end = file.tell() + size
|
||||||
|
+ data_end = fp.tell() + size
|
||||||
|
|
||||||
|
length = i32(read(4))
|
||||||
|
if length:
|
||||||
|
@@ -220,12 +233,12 @@ def _layerinfo(file):
|
||||||
|
mask_x = i32(read(4))
|
||||||
|
mask_h = i32(read(4)) - mask_y
|
||||||
|
mask_w = i32(read(4)) - mask_x
|
||||||
|
- file.seek(length - 16, 1)
|
||||||
|
+ fp.seek(length - 16, 1)
|
||||||
|
combined += length + 4
|
||||||
|
|
||||||
|
length = i32(read(4))
|
||||||
|
if length:
|
||||||
|
- file.seek(length, 1)
|
||||||
|
+ fp.seek(length, 1)
|
||||||
|
combined += length + 4
|
||||||
|
|
||||||
|
length = i8(read(1))
|
||||||
|
@@ -235,7 +248,7 @@ def _layerinfo(file):
|
||||||
|
name = read(length).decode('latin-1', 'replace')
|
||||||
|
combined += length + 1
|
||||||
|
|
||||||
|
- file.seek(data_end)
|
||||||
|
+ fp.seek(data_end)
|
||||||
|
layers.append((name, mode, (x0, y0, x1, y1)))
|
||||||
|
|
||||||
|
# get tiles
|
||||||
|
@@ -243,7 +256,7 @@ def _layerinfo(file):
|
||||||
|
for name, mode, bbox in layers:
|
||||||
|
tile = []
|
||||||
|
for m in mode:
|
||||||
|
- t = _maketile(file, m, bbox, 1)
|
||||||
|
+ t = _maketile(fp, m, bbox, 1)
|
||||||
|
if t:
|
||||||
|
tile.extend(t)
|
||||||
|
layers[i] = name, mode, bbox, tile
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
From cedb7ba568161021bc2f2f48af95fcf33e262f77 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Mon, 14 Jun 2021 09:30:01 +0200
|
||||||
|
Subject: [PATCH 4/5] CVE-2021-28676
|
||||||
|
|
||||||
|
---
|
||||||
|
src/libImaging/FliDecode.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
|
||||||
|
index 72ba138..9181b8b 100644
|
||||||
|
--- a/src/libImaging/FliDecode.c
|
||||||
|
+++ b/src/libImaging/FliDecode.c
|
||||||
|
@@ -209,6 +209,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
advance = I32(ptr);
|
||||||
|
+ if (advance == 0 ) {
|
||||||
|
+ // If there's no advance, we're in in infinite loop
|
||||||
|
+ state->errcode = IMAGING_CODEC_BROKEN;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
ptr += advance;
|
||||||
|
bytes -= advance;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
From 8ad7b436649c424e22689a8a874c1b0cd7c1c0fc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Mon, 14 Jun 2021 09:22:45 +0200
|
||||||
|
Subject: [PATCH 3/5] CVE-2021-28677
|
||||||
|
|
||||||
|
---
|
||||||
|
src/PIL/EpsImagePlugin.py | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/PIL/EpsImagePlugin.py b/src/PIL/EpsImagePlugin.py
|
||||||
|
index b503487..5f5af15 100644
|
||||||
|
--- a/src/PIL/EpsImagePlugin.py
|
||||||
|
+++ b/src/PIL/EpsImagePlugin.py
|
||||||
|
@@ -167,12 +167,12 @@ class PSFile(object):
|
||||||
|
self.fp.seek(offset, whence)
|
||||||
|
|
||||||
|
def readline(self):
|
||||||
|
- s = self.char or b""
|
||||||
|
+ s = [self.char or b""]
|
||||||
|
self.char = None
|
||||||
|
|
||||||
|
c = self.fp.read(1)
|
||||||
|
- while c not in b"\r\n":
|
||||||
|
- s = s + c
|
||||||
|
+ while (c not in b"\r\n") and len(c):
|
||||||
|
+ s.append(c)
|
||||||
|
c = self.fp.read(1)
|
||||||
|
|
||||||
|
self.char = self.fp.read(1)
|
||||||
|
@@ -180,7 +180,7 @@ class PSFile(object):
|
||||||
|
if self.char in b"\r\n":
|
||||||
|
self.char = None
|
||||||
|
|
||||||
|
- return s.decode('latin-1')
|
||||||
|
+ return b"".join(s).decode("latin-1")
|
||||||
|
|
||||||
|
|
||||||
|
def _accept(prefix):
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
|
@ -0,0 +1,122 @@
|
||||||
|
From eaef29c3696cd021147e692360997f4c12377c60 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Mon, 14 Jun 2021 09:19:50 +0200
|
||||||
|
Subject: [PATCH 2/5] CVE-2021-28678
|
||||||
|
|
||||||
|
---
|
||||||
|
src/PIL/BlpImagePlugin.py | 43 +++++++++++++++++++++------------------
|
||||||
|
1 file changed, 23 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
|
||||||
|
index d56d46c..846c83d 100644
|
||||||
|
--- a/src/PIL/BlpImagePlugin.py
|
||||||
|
+++ b/src/PIL/BlpImagePlugin.py
|
||||||
|
@@ -294,33 +294,36 @@ class _BLPBaseDecoder(ImageFile.PyDecoder):
|
||||||
|
raise IOError("Truncated Blp file")
|
||||||
|
return 0, 0
|
||||||
|
|
||||||
|
+ def _safe_read(self, length):
|
||||||
|
+ return ImageFile._safe_read(self.fd, length)
|
||||||
|
+
|
||||||
|
def _read_palette(self):
|
||||||
|
ret = []
|
||||||
|
for i in range(256):
|
||||||
|
try:
|
||||||
|
- b, g, r, a = struct.unpack("<4B", self.fd.read(4))
|
||||||
|
+ b, g, r, a = struct.unpack("<4B", self._safe_read(4))
|
||||||
|
except struct.error:
|
||||||
|
break
|
||||||
|
ret.append((b, g, r, a))
|
||||||
|
return ret
|
||||||
|
|
||||||
|
def _read_blp_header(self):
|
||||||
|
- self._blp_compression, = struct.unpack("<i", self.fd.read(4))
|
||||||
|
+ self._blp_compression, = struct.unpack("<i", self._safe_read(4))
|
||||||
|
|
||||||
|
- self._blp_encoding, = struct.unpack("<b", self.fd.read(1))
|
||||||
|
- self._blp_alpha_depth, = struct.unpack("<b", self.fd.read(1))
|
||||||
|
- self._blp_alpha_encoding, = struct.unpack("<b", self.fd.read(1))
|
||||||
|
- self._blp_mips, = struct.unpack("<b", self.fd.read(1))
|
||||||
|
+ self._blp_encoding, = struct.unpack("<b", self._safe_read(1))
|
||||||
|
+ self._blp_alpha_depth, = struct.unpack("<b", self._safe_read(1))
|
||||||
|
+ self._blp_alpha_encoding, = struct.unpack("<b", self._safe_read(1))
|
||||||
|
+ self._blp_mips, = struct.unpack("<b", self._safe_read(1))
|
||||||
|
|
||||||
|
- self.size = struct.unpack("<II", self.fd.read(8))
|
||||||
|
+ self.size = struct.unpack("<II", self._safe_read(8))
|
||||||
|
|
||||||
|
if self.magic == b"BLP1":
|
||||||
|
# Only present for BLP1
|
||||||
|
- self._blp_encoding, = struct.unpack("<i", self.fd.read(4))
|
||||||
|
- self._blp_subtype, = struct.unpack("<i", self.fd.read(4))
|
||||||
|
+ self._blp_encoding, = struct.unpack("<i", self._safe_read(4))
|
||||||
|
+ self._blp_subtype, = struct.unpack("<i", self._safe_read(4))
|
||||||
|
|
||||||
|
- self._blp_offsets = struct.unpack("<16I", self.fd.read(16 * 4))
|
||||||
|
- self._blp_lengths = struct.unpack("<16I", self.fd.read(16 * 4))
|
||||||
|
+ self._blp_offsets = struct.unpack("<16I", self._safe_read(16 * 4))
|
||||||
|
+ self._blp_lengths = struct.unpack("<16I", self._safe_read(16 * 4))
|
||||||
|
|
||||||
|
|
||||||
|
class BLP1Decoder(_BLPBaseDecoder):
|
||||||
|
@@ -333,7 +336,7 @@ class BLP1Decoder(_BLPBaseDecoder):
|
||||||
|
if self._blp_encoding in (4, 5):
|
||||||
|
data = bytearray()
|
||||||
|
palette = self._read_palette()
|
||||||
|
- _data = BytesIO(self.fd.read(self._blp_lengths[0]))
|
||||||
|
+ _data = BytesIO(self._safe_read(self._blp_lengths[0]))
|
||||||
|
while True:
|
||||||
|
try:
|
||||||
|
offset, = struct.unpack("<B", _data.read(1))
|
||||||
|
@@ -355,10 +358,10 @@ class BLP1Decoder(_BLPBaseDecoder):
|
||||||
|
def _decode_jpeg_stream(self):
|
||||||
|
from PIL.JpegImagePlugin import JpegImageFile
|
||||||
|
|
||||||
|
- jpeg_header_size, = struct.unpack("<I", self.fd.read(4))
|
||||||
|
- jpeg_header = self.fd.read(jpeg_header_size)
|
||||||
|
- self.fd.read(self._blp_offsets[0] - self.fd.tell()) # What IS this?
|
||||||
|
- data = self.fd.read(self._blp_lengths[0])
|
||||||
|
+ jpeg_header_size, = struct.unpack("<I", self._safe_read(4))
|
||||||
|
+ jpeg_header = self._safe_read(jpeg_header_size)
|
||||||
|
+ self._safe_read(self._blp_offsets[0] - self.fd.tell()) # What IS this?
|
||||||
|
+ data = self._safe_read(self._blp_lengths[0])
|
||||||
|
data = jpeg_header + data
|
||||||
|
data = BytesIO(data)
|
||||||
|
image = JpegImageFile(data)
|
||||||
|
@@ -380,7 +383,7 @@ class BLP2Decoder(_BLPBaseDecoder):
|
||||||
|
# Uncompressed or DirectX compression
|
||||||
|
|
||||||
|
if self._blp_encoding == BLP_ENCODING_UNCOMPRESSED:
|
||||||
|
- _data = BytesIO(self.fd.read(self._blp_lengths[0]))
|
||||||
|
+ _data = BytesIO(self._safe_read(self._blp_lengths[0]))
|
||||||
|
while True:
|
||||||
|
try:
|
||||||
|
offset, = struct.unpack("<B", _data.read(1))
|
||||||
|
@@ -394,7 +397,7 @@ class BLP2Decoder(_BLPBaseDecoder):
|
||||||
|
linesize = (self.size[0] + 3) // 4 * 8
|
||||||
|
for yb in range((self.size[1] + 3) // 4):
|
||||||
|
for d in decode_dxt1(
|
||||||
|
- self.fd.read(linesize),
|
||||||
|
+ self._safe_read(linesize),
|
||||||
|
alpha=bool(self._blp_alpha_depth)
|
||||||
|
):
|
||||||
|
data += d
|
||||||
|
@@ -402,13 +405,13 @@ class BLP2Decoder(_BLPBaseDecoder):
|
||||||
|
elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT3:
|
||||||
|
linesize = (self.size[0] + 3) // 4 * 16
|
||||||
|
for yb in range((self.size[1] + 3) // 4):
|
||||||
|
- for d in decode_dxt3(self.fd.read(linesize)):
|
||||||
|
+ for d in decode_dxt3(self._safe_read(linesize)):
|
||||||
|
data += d
|
||||||
|
|
||||||
|
elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT5:
|
||||||
|
linesize = (self.size[0] + 3) // 4 * 16
|
||||||
|
for yb in range((self.size[1] + 3) // 4):
|
||||||
|
- for d in decode_dxt5(self.fd.read(linesize)):
|
||||||
|
+ for d in decode_dxt5(self._safe_read(linesize)):
|
||||||
|
data += d
|
||||||
|
else:
|
||||||
|
raise BLPFormatError("Unsupported alpha encoding %r" % (
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
|
|
||||||
Name: python-%{srcname}
|
Name: python-%{srcname}
|
||||||
Version: 5.1.1
|
Version: 5.1.1
|
||||||
Release: 14%{?dist}
|
Release: 15%{?dist}
|
||||||
Summary: Python image processing library
|
Summary: Python image processing library
|
||||||
|
|
||||||
# License: see http://www.pythonware.com/products/pil/license.htm
|
# License: see http://www.pythonware.com/products/pil/license.htm
|
||||||
|
@ -70,6 +70,30 @@ Patch11: CVE-2021-25293.patch
|
||||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27922
|
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27922
|
||||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27923
|
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27923
|
||||||
Patch12: CVE-2021-27921_27922_27923.patch
|
Patch12: CVE-2021-27921_27922_27923.patch
|
||||||
|
# CVE-2021-25288 and 25287 out-of-bounds read in J2kDecode in j2ku_gray_i and j2ku_graya_la
|
||||||
|
# Upstream fixes this patch combines:
|
||||||
|
# - Original fix for the CVEs: https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
|
||||||
|
# - Older commit the fix is based on: https://github.com/python-pillow/Pillow/commit/cf6da6b79080a8c16984102fdc85f7ce28dca613
|
||||||
|
# Tracking bugs:
|
||||||
|
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25287
|
||||||
|
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25288
|
||||||
|
Patch13: CVE-2021-25287_25288.patch
|
||||||
|
# CVE-2021-28675 DoS in PsdImagePlugin
|
||||||
|
# Upstream fix: https://github.com/python-pillow/Pillow/commit/22e9bee4ef225c0edbb9323f94c26cee0c623497
|
||||||
|
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28675
|
||||||
|
Patch14: CVE-2021-28675.patch
|
||||||
|
# CVE-2021-28676 infinite loop in FliDecode.c can lead to DoS
|
||||||
|
# Upstream fix: https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856
|
||||||
|
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28676
|
||||||
|
Patch15: CVE-2021-28676.patch
|
||||||
|
# CVE-2021-28677 DoS in the open phase via a malicious EPS file
|
||||||
|
# Upstream fix: https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92
|
||||||
|
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28677
|
||||||
|
Patch16: CVE-2021-28677.patch
|
||||||
|
# CVE-2021-28678 improper check in BlpImagePlugin can lead to DoS
|
||||||
|
# Upstream fix: https://github.com/python-pillow/Pillow/commit/496245aa4365d0827390bd0b6fbd11287453b3a1
|
||||||
|
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28678
|
||||||
|
Patch17: CVE-2021-28678.patch
|
||||||
|
|
||||||
BuildRequires: freetype-devel
|
BuildRequires: freetype-devel
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
|
@ -214,6 +238,11 @@ popd
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jun 14 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-15
|
||||||
|
- Fixes for CVE-2021-25288, CVE-2021-25287, CVE-2021-28675, CVE-2021-28676,
|
||||||
|
CVE-2021-28677 and CVE-2021-28678
|
||||||
|
Resolves: rhbz#1958231, rhbz#1958226, rhbz#1958240, rhbz#1958252, rhbz#1958257, rhbz#1958263
|
||||||
|
|
||||||
* Fri Apr 09 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-14
|
* Fri Apr 09 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-14
|
||||||
- Fixes for CVE-2021-25290, CVE-2021-25292, CVE-2021-25293, CVE-2021-27921
|
- Fixes for CVE-2021-25290, CVE-2021-25292, CVE-2021-25293, CVE-2021-27921
|
||||||
CVE-2021-27922, and CVE-2021-27923
|
CVE-2021-27922, and CVE-2021-27923
|
||||||
|
|
Loading…
Reference in New Issue