Compare commits
No commits in common. "c8" and "c9s" have entirely different histories.
1
.gitignore
vendored
1
.gitignore
vendored
@ -1 +0,0 @@
|
||||
SOURCES/Pillow-5.1.1.tar.gz
|
@ -1 +0,0 @@
|
||||
2120f1bbf8d39cb0f1a5a50fb79b993e8b75851c SOURCES/Pillow-5.1.1.tar.gz
|
@ -1,42 +0,0 @@
|
||||
From b78ede45a294b567d27d7198ff3354df86a5b7f1 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Tue, 11 Sep 2018 15:58:31 +0200
|
||||
Subject: [PATCH 1/2] Fix potential un-terminated buffer problem (CWE-120)
|
||||
|
||||
---
|
||||
src/libImaging/Histo.c | 4 +++-
|
||||
src/libImaging/Palette.c | 3 ++-
|
||||
2 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/libImaging/Histo.c b/src/libImaging/Histo.c
|
||||
index 0bfc8dfe..2b35873e 100644
|
||||
--- a/src/libImaging/Histo.c
|
||||
+++ b/src/libImaging/Histo.c
|
||||
@@ -41,7 +41,9 @@ ImagingHistogramNew(Imaging im)
|
||||
|
||||
/* Create histogram descriptor */
|
||||
h = calloc(1, sizeof(struct ImagingHistogramInstance));
|
||||
- strncpy(h->mode, im->mode, IMAGING_MODE_LENGTH);
|
||||
+ strncpy(h->mode, im->mode, IMAGING_MODE_LENGTH-1);
|
||||
+ h->mode[IMAGING_MODE_LENGTH-1] = 0;
|
||||
+
|
||||
h->bands = im->bands;
|
||||
h->histogram = calloc(im->pixelsize, 256 * sizeof(long));
|
||||
|
||||
diff --git a/src/libImaging/Palette.c b/src/libImaging/Palette.c
|
||||
index 31c2c024..7aee6e8e 100644
|
||||
--- a/src/libImaging/Palette.c
|
||||
+++ b/src/libImaging/Palette.c
|
||||
@@ -37,7 +37,8 @@ ImagingPaletteNew(const char* mode)
|
||||
if (!palette)
|
||||
return (ImagingPalette) ImagingError_MemoryError();
|
||||
|
||||
- strncpy(palette->mode, mode, IMAGING_MODE_LENGTH);
|
||||
+ strncpy(palette->mode, mode, IMAGING_MODE_LENGTH-1);
|
||||
+ palette->mode[IMAGING_MODE_LENGTH-1] = 0;
|
||||
|
||||
/* Initialize to ramp */
|
||||
for (i = 0; i < 256; i++) {
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,258 +0,0 @@
|
||||
From 6adac809e96c8bfeb50a3bd14570a8118bcd5d65 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Thu, 13 Sep 2018 12:22:11 +0200
|
||||
Subject: [PATCH 2/2] Fix potential leaked storage issues (CWE-772)
|
||||
|
||||
---
|
||||
src/Tk/tkImaging.c | 2 ++
|
||||
src/_imaging.c | 15 +++++++++++++--
|
||||
src/encode.c | 12 +++++++++---
|
||||
src/libImaging/Histo.c | 12 +++++++++---
|
||||
src/libImaging/Quant.c | 2 ++
|
||||
src/libImaging/QuantOctree.c | 1 +
|
||||
src/libImaging/Resample.c | 2 ++
|
||||
src/path.c | 8 ++++++--
|
||||
8 files changed, 44 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/Tk/tkImaging.c b/src/Tk/tkImaging.c
|
||||
index f448be16..10090b0e 100644
|
||||
--- a/src/Tk/tkImaging.c
|
||||
+++ b/src/Tk/tkImaging.c
|
||||
@@ -442,6 +442,7 @@ int load_tkinter_funcs(void)
|
||||
/* Try loading from the main program namespace first */
|
||||
main_program = dlopen(NULL, RTLD_LAZY);
|
||||
if (_func_loader(main_program) == 0) {
|
||||
+ dlclose(main_program);
|
||||
return 0;
|
||||
}
|
||||
/* Clear exception triggered when we didn't find symbols above */
|
||||
@@ -470,6 +471,7 @@ int load_tkinter_funcs(void)
|
||||
/* dlclose probably safe because tkinter has been imported. */
|
||||
dlclose(tkinter_lib);
|
||||
exit:
|
||||
+ dlclose(main_program);
|
||||
Py_XDECREF(pModule);
|
||||
Py_XDECREF(pString);
|
||||
return ret;
|
||||
diff --git a/src/_imaging.c b/src/_imaging.c
|
||||
index 11f5f6ea..445470bf 100644
|
||||
--- a/src/_imaging.c
|
||||
+++ b/src/_imaging.c
|
||||
@@ -856,8 +856,10 @@ _gaussian_blur(ImagingObject* self, PyObject* args)
|
||||
if (!imOut)
|
||||
return NULL;
|
||||
|
||||
- if (!ImagingGaussianBlur(imOut, imIn, radius, passes))
|
||||
+ if (!ImagingGaussianBlur(imOut, imIn, radius, passes)) {
|
||||
+ ImagingDelete(imOut);
|
||||
return NULL;
|
||||
+ }
|
||||
|
||||
return PyImagingNew(imOut);
|
||||
}
|
||||
@@ -1745,8 +1747,10 @@ _box_blur(ImagingObject* self, PyObject* args)
|
||||
if (!imOut)
|
||||
return NULL;
|
||||
|
||||
- if (!ImagingBoxBlur(imOut, imIn, radius, n))
|
||||
+ if (!ImagingBoxBlur(imOut, imIn, radius, n)) {
|
||||
+ ImagingDelete(imOut);
|
||||
return NULL;
|
||||
+ }
|
||||
|
||||
return PyImagingNew(imOut);
|
||||
}
|
||||
@@ -2386,6 +2390,7 @@ _draw_arc(ImagingDrawObject* self, PyObject* args)
|
||||
return NULL;
|
||||
if (n != 2) {
|
||||
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
||||
+ free(xy);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -2423,6 +2428,7 @@ _draw_bitmap(ImagingDrawObject* self, PyObject* args)
|
||||
PyErr_SetString(PyExc_TypeError,
|
||||
"coordinate list must contain exactly 1 coordinate"
|
||||
);
|
||||
+ free(xy);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -2458,6 +2464,7 @@ _draw_chord(ImagingDrawObject* self, PyObject* args)
|
||||
return NULL;
|
||||
if (n != 2) {
|
||||
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
||||
+ free(xy);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -2493,6 +2500,7 @@ _draw_ellipse(ImagingDrawObject* self, PyObject* args)
|
||||
return NULL;
|
||||
if (n != 2) {
|
||||
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
||||
+ free(xy);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -2674,6 +2682,7 @@ _draw_pieslice(ImagingDrawObject* self, PyObject* args)
|
||||
return NULL;
|
||||
if (n != 2) {
|
||||
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
||||
+ free(xy);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -2712,6 +2721,7 @@ _draw_polygon(ImagingDrawObject* self, PyObject* args)
|
||||
PyErr_SetString(PyExc_TypeError,
|
||||
"coordinate list must contain at least 2 coordinates"
|
||||
);
|
||||
+ free(xy);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -2754,6 +2764,7 @@ _draw_rectangle(ImagingDrawObject* self, PyObject* args)
|
||||
return NULL;
|
||||
if (n != 2) {
|
||||
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
||||
+ free(xy);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
diff --git a/src/encode.c b/src/encode.c
|
||||
index ae4277c0..9f7c6592 100644
|
||||
--- a/src/encode.c
|
||||
+++ b/src/encode.c
|
||||
@@ -552,11 +552,15 @@ PyImaging_ZipEncoderNew(PyObject* self, PyObject* args)
|
||||
dictionary = NULL;
|
||||
|
||||
encoder = PyImaging_EncoderNew(sizeof(ZIPSTATE));
|
||||
- if (encoder == NULL)
|
||||
+ if (encoder == NULL) {
|
||||
+ free(dictionary);
|
||||
return NULL;
|
||||
+ }
|
||||
|
||||
- if (get_packer(encoder, mode, rawmode) < 0)
|
||||
+ if (get_packer(encoder, mode, rawmode) < 0) {
|
||||
+ free(dictionary);
|
||||
return NULL;
|
||||
+ }
|
||||
|
||||
encoder->encode = ImagingZipEncode;
|
||||
encoder->cleanup = ImagingZipEncodeCleanup;
|
||||
@@ -717,8 +721,10 @@ PyImaging_JpegEncoderNew(PyObject* self, PyObject* args)
|
||||
if (rawExif && rawExifLen > 0) {
|
||||
/* malloc check ok, length is from python parsearg */
|
||||
char* pp = malloc(rawExifLen); // Freed in JpegEncode, Case 5
|
||||
- if (!pp)
|
||||
+ if (!pp) {
|
||||
+ if (extra) free(extra);
|
||||
return PyErr_NoMemory();
|
||||
+ }
|
||||
memcpy(pp, rawExif, rawExifLen);
|
||||
rawExif = pp;
|
||||
} else
|
||||
diff --git a/src/libImaging/Histo.c b/src/libImaging/Histo.c
|
||||
index 2b35873e..b7c1a983 100644
|
||||
--- a/src/libImaging/Histo.c
|
||||
+++ b/src/libImaging/Histo.c
|
||||
@@ -82,8 +82,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
|
||||
h->histogram[im->image8[y][x]]++;
|
||||
ImagingSectionLeave(&cookie);
|
||||
} else { /* yes, we need the braces. C isn't Python! */
|
||||
- if (im->type != IMAGING_TYPE_UINT8)
|
||||
+ if (im->type != IMAGING_TYPE_UINT8) {
|
||||
+ ImagingHistogramDelete(h);
|
||||
return ImagingError_ModeError();
|
||||
+ }
|
||||
ImagingSectionEnter(&cookie);
|
||||
for (y = 0; y < im->ysize; y++) {
|
||||
UINT8* in = (UINT8*) im->image32[y];
|
||||
@@ -122,8 +124,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
|
||||
ImagingSectionLeave(&cookie);
|
||||
break;
|
||||
case IMAGING_TYPE_INT32:
|
||||
- if (!minmax)
|
||||
+ if (!minmax) {
|
||||
+ ImagingHistogramDelete(h);
|
||||
return ImagingError_ValueError("min/max not given");
|
||||
+ }
|
||||
if (!im->xsize || !im->ysize)
|
||||
break;
|
||||
imin = ((INT32*) minmax)[0];
|
||||
@@ -143,8 +147,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
|
||||
ImagingSectionLeave(&cookie);
|
||||
break;
|
||||
case IMAGING_TYPE_FLOAT32:
|
||||
- if (!minmax)
|
||||
+ if (!minmax) {
|
||||
+ ImagingHistogramDelete(h);
|
||||
return ImagingError_ValueError("min/max not given");
|
||||
+ }
|
||||
if (!im->xsize || !im->ysize)
|
||||
break;
|
||||
fmin = ((FLOAT32*) minmax)[0];
|
||||
diff --git a/src/libImaging/Quant.c b/src/libImaging/Quant.c
|
||||
index df313816..b94dc6e1 100644
|
||||
--- a/src/libImaging/Quant.c
|
||||
+++ b/src/libImaging/Quant.c
|
||||
@@ -568,6 +568,8 @@ split(BoxNode *node)
|
||||
left=malloc(sizeof(BoxNode));
|
||||
right=malloc(sizeof(BoxNode));
|
||||
if (!left||!right) {
|
||||
+ free(left);
|
||||
+ free(right);
|
||||
return 0;
|
||||
}
|
||||
for(i=0;i<3;i++) {
|
||||
diff --git a/src/libImaging/QuantOctree.c b/src/libImaging/QuantOctree.c
|
||||
index e18ab3c6..d778c942 100644
|
||||
--- a/src/libImaging/QuantOctree.c
|
||||
+++ b/src/libImaging/QuantOctree.c
|
||||
@@ -470,6 +470,7 @@ error:
|
||||
free(qp);
|
||||
free_color_cube(lookupCube);
|
||||
free_color_cube(coarseLookupCube);
|
||||
+ free(paletteBuckets);
|
||||
free(paletteBucketsCoarse);
|
||||
free(paletteBucketsFine);
|
||||
free_color_cube(coarseCube);
|
||||
diff --git a/src/libImaging/Resample.c b/src/libImaging/Resample.c
|
||||
index cda005d9..b90395e8 100644
|
||||
--- a/src/libImaging/Resample.c
|
||||
+++ b/src/libImaging/Resample.c
|
||||
@@ -538,6 +538,8 @@ ImagingResampleInner(Imaging imIn, int xsize, int ysize,
|
||||
if ( ! ksize_vert) {
|
||||
free(bounds_horiz);
|
||||
free(kk_horiz);
|
||||
+ free(bounds_vert);
|
||||
+ free(kk_vert);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
diff --git a/src/path.c b/src/path.c
|
||||
index b56ea838..5984a3d1 100644
|
||||
--- a/src/path.c
|
||||
+++ b/src/path.c
|
||||
@@ -82,12 +82,16 @@ path_new(Py_ssize_t count, double* xy, int duplicate)
|
||||
xy = p;
|
||||
}
|
||||
|
||||
- if (PyType_Ready(&PyPathType) < 0)
|
||||
+ if (PyType_Ready(&PyPathType) < 0) {
|
||||
+ free(xy);
|
||||
return NULL;
|
||||
+ }
|
||||
|
||||
path = PyObject_New(PyPathObject, &PyPathType);
|
||||
- if (path == NULL)
|
||||
+ if (path == NULL) {
|
||||
+ free(xy);
|
||||
return NULL;
|
||||
+ }
|
||||
|
||||
path->count = count;
|
||||
path->xy = xy;
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,50 +0,0 @@
|
||||
From e705cd1476f04a918aae34f638b502116cb12eba Mon Sep 17 00:00:00 2001
|
||||
From: Jon Dufresne <jon.dufresne@gmail.com>
|
||||
Date: Tue, 3 Apr 2018 20:36:09 -0700
|
||||
Subject: [PATCH] Fix dereferencing type-punned pointer will break
|
||||
strict-aliasing
|
||||
|
||||
Compiler warning appeared as:
|
||||
|
||||
src/path.c:574:22: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
|
||||
Py_TYPE(&item)->tp_name);
|
||||
^~~~~~~
|
||||
|
||||
As item is already of type PyObject*, and the Py_TYPE macro is
|
||||
equivalent to (((PyObject*)(o))->ob_type), no need for the dereference.
|
||||
|
||||
https://docs.python.org/3/c-api/structures.html#c.Py_TYPE
|
||||
---
|
||||
Tests/test_imagepath.py | 5 +++++
|
||||
src/path.c | 2 +-
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
|
||||
index 14cc4d14b..98a6d3416 100644
|
||||
--- a/Tests/test_imagepath.py
|
||||
+++ b/Tests/test_imagepath.py
|
||||
@@ -17,6 +17,11 @@ def test_path(self):
|
||||
self.assertEqual(p[0], (0.0, 1.0))
|
||||
self.assertEqual(p[-1], (8.0, 9.0))
|
||||
self.assertEqual(list(p[:1]), [(0.0, 1.0)])
|
||||
+ with self.assertRaises(TypeError) as cm:
|
||||
+ p['foo']
|
||||
+ self.assertEqual(
|
||||
+ str(cm.exception),
|
||||
+ "Path indices must be integers, not str")
|
||||
self.assertEqual(
|
||||
list(p),
|
||||
[(0.0, 1.0), (2.0, 3.0), (4.0, 5.0), (6.0, 7.0), (8.0, 9.0)])
|
||||
diff --git a/src/path.c b/src/path.c
|
||||
index b56ea838e..d1c18c8ed 100644
|
||||
--- a/src/path.c
|
||||
+++ b/src/path.c
|
||||
@@ -571,7 +571,7 @@ path_subscript(PyPathObject* self, PyObject* item) {
|
||||
else {
|
||||
PyErr_Format(PyExc_TypeError,
|
||||
"Path indices must be integers, not %.200s",
|
||||
- Py_TYPE(&item)->tp_name);
|
||||
+ Py_TYPE(item)->tp_name);
|
||||
return NULL;
|
||||
}
|
||||
}
|
@ -1,56 +0,0 @@
|
||||
From f91c78960495efa04c7f12eeb916158d4bfbabc4 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Mon, 13 Jul 2020 15:40:11 +0200
|
||||
Subject: [PATCH] CVE-2020-11538
|
||||
|
||||
---
|
||||
src/libImaging/SgiRleDecode.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
||||
index 6367ae7..eb8fc84 100644
|
||||
--- a/src/libImaging/SgiRleDecode.c
|
||||
+++ b/src/libImaging/SgiRleDecode.c
|
||||
@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf)
|
||||
static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
||||
{
|
||||
UINT8 pixel, count;
|
||||
+ int x = 0;
|
||||
|
||||
for (;n > 0; n--)
|
||||
{
|
||||
@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
||||
count = pixel & RLE_MAX_RUN;
|
||||
if (!count)
|
||||
return count;
|
||||
- if (count > xsize) {
|
||||
+ if (x + count > xsize) {
|
||||
return -1;
|
||||
}
|
||||
+ x += count;
|
||||
if (pixel & RLE_COPY_FLAG) {
|
||||
while(count--) {
|
||||
*dest = *src++;
|
||||
@@ -63,6 +65,7 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
||||
{
|
||||
UINT8 pixel, count;
|
||||
|
||||
+ int x = 0;
|
||||
|
||||
for (;n > 0; n--)
|
||||
{
|
||||
@@ -73,9 +76,10 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
||||
count = pixel & RLE_MAX_RUN;
|
||||
if (!count)
|
||||
return count;
|
||||
- if (count > xsize) {
|
||||
+ if (x + count > xsize) {
|
||||
return -1;
|
||||
}
|
||||
+ x += count;
|
||||
if (pixel & RLE_COPY_FLAG) {
|
||||
while(count--) {
|
||||
*dest = *src++;
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 7a0aea5806d57e0e7c5187fbc9c2937a16e0bca1 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Soroos <eric-github@soroos.net>
|
||||
Date: Thu, 17 Dec 2020 00:17:53 +0100
|
||||
Subject: [PATCH] Fix for CVE CVE-2020-35655 - Read Overflow in PCX Decoding.
|
||||
|
||||
* Don't trust the image to specify a buffer size
|
||||
---
|
||||
src/PIL/PcxImagePlugin.py | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/PIL/PcxImagePlugin.py b/src/PIL/PcxImagePlugin.py
|
||||
index 564713a..17bbd18 100644
|
||||
--- a/src/PIL/PcxImagePlugin.py
|
||||
+++ b/src/PIL/PcxImagePlugin.py
|
||||
@@ -63,9 +63,9 @@ class PcxImageFile(ImageFile.ImageFile):
|
||||
version = i8(s[1])
|
||||
bits = i8(s[3])
|
||||
planes = i8(s[65])
|
||||
- stride = i16(s, 66)
|
||||
+ ignored_stride = i16(s, 66)
|
||||
logger.debug("PCX version %s, bits %s, planes %s, stride %s",
|
||||
- version, bits, planes, stride)
|
||||
+ version, bits, planes, ignored_stride)
|
||||
|
||||
self.info["dpi"] = i16(s, 12), i16(s, 14)
|
||||
|
||||
@@ -102,6 +102,11 @@ class PcxImageFile(ImageFile.ImageFile):
|
||||
self.mode = mode
|
||||
self.size = bbox[2]-bbox[0], bbox[3]-bbox[1]
|
||||
|
||||
+ # don't trust the passed in stride. Calculate for ourselves.
|
||||
+ # CVE-2020-35653
|
||||
+ stride = (self.size[0] * bits + 7) // 8
|
||||
+ stride += stride % 2
|
||||
+
|
||||
bbox = (0, 0) + self.size
|
||||
logger.debug("size: %sx%s", *self.size)
|
||||
|
||||
--
|
||||
2.29.2
|
||||
|
@ -1,136 +0,0 @@
|
||||
From f276de1139ec16395dc8b382860fb58e331fbd53 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Soroos <eric-github@soroos.net>
|
||||
Date: Thu, 29 Oct 2020 23:07:15 +0000
|
||||
Subject: [PATCH 1/2] Fix for SGI Decode buffer overrun CVE-2020-35655
|
||||
|
||||
* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz.
|
||||
---
|
||||
src/libImaging/SgiRleDecode.c | 23 ++++++++++++++++-------
|
||||
1 file changed, 16 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
||||
index eb8fc84..c256169 100644
|
||||
--- a/src/libImaging/SgiRleDecode.c
|
||||
+++ b/src/libImaging/SgiRleDecode.c
|
||||
@@ -107,11 +107,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
int err = 0;
|
||||
int status;
|
||||
|
||||
+ /* size check */
|
||||
+ if (im->xsize > INT_MAX / im->bands ||
|
||||
+ im->ysize > INT_MAX / im->bands) {
|
||||
+ return IMAGING_CODEC_MEMORY;
|
||||
+ }
|
||||
+
|
||||
/* Get all data from File descriptor */
|
||||
c = (SGISTATE*)state->context;
|
||||
_imaging_seek_pyFd(state->fd, 0L, SEEK_END);
|
||||
c->bufsize = _imaging_tell_pyFd(state->fd);
|
||||
c->bufsize -= SGI_HEADER_SIZE;
|
||||
+
|
||||
+ c->tablen = im->bands * im->ysize;
|
||||
+ /* below, we populate the starttab and lentab into the bufsize,
|
||||
+ each with 4 bytes per element of tablen
|
||||
+ Check here before we allocate any memory
|
||||
+ */
|
||||
+ if (c->bufsize < 8*c->tablen) {
|
||||
+ return IMAGING_CODEC_MEMORY;
|
||||
+ }
|
||||
+
|
||||
ptr = malloc(sizeof(UINT8) * c->bufsize);
|
||||
if (!ptr) {
|
||||
return IMAGING_CODEC_MEMORY;
|
||||
@@ -129,18 +145,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
state->ystep = 1;
|
||||
}
|
||||
|
||||
- if (im->xsize > INT_MAX / im->bands ||
|
||||
- im->ysize > INT_MAX / im->bands) {
|
||||
- err = IMAGING_CODEC_MEMORY;
|
||||
- goto sgi_finish_decode;
|
||||
- }
|
||||
-
|
||||
/* Allocate memory for RLE tables and rows */
|
||||
free(state->buffer);
|
||||
state->buffer = NULL;
|
||||
/* malloc overflow check above */
|
||||
state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
|
||||
- c->tablen = im->bands * im->ysize;
|
||||
c->starttab = calloc(c->tablen, sizeof(UINT32));
|
||||
c->lengthtab = calloc(c->tablen, sizeof(UINT32));
|
||||
if (!state->buffer ||
|
||||
--
|
||||
2.29.2
|
||||
|
||||
From 18aa14484fa63dabcafea63cf0b7bfb4066e979c Mon Sep 17 00:00:00 2001
|
||||
From: Eric Soroos <eric-github@soroos.net>
|
||||
Date: Fri, 30 Oct 2020 09:57:23 +0000
|
||||
Subject: [PATCH 2/2] Make the SGI code return -1 as an error flag, error in
|
||||
state
|
||||
|
||||
---
|
||||
src/libImaging/SgiRleDecode.c | 16 ++++++++++------
|
||||
1 file changed, 10 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
||||
index c256169..2259159 100644
|
||||
--- a/src/libImaging/SgiRleDecode.c
|
||||
+++ b/src/libImaging/SgiRleDecode.c
|
||||
@@ -110,7 +110,8 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
/* size check */
|
||||
if (im->xsize > INT_MAX / im->bands ||
|
||||
im->ysize > INT_MAX / im->bands) {
|
||||
- return IMAGING_CODEC_MEMORY;
|
||||
+ state->errcode = IMAGING_CODEC_MEMORY;
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
/* Get all data from File descriptor */
|
||||
@@ -125,12 +126,14 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
Check here before we allocate any memory
|
||||
*/
|
||||
if (c->bufsize < 8*c->tablen) {
|
||||
- return IMAGING_CODEC_MEMORY;
|
||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
ptr = malloc(sizeof(UINT8) * c->bufsize);
|
||||
if (!ptr) {
|
||||
- return IMAGING_CODEC_MEMORY;
|
||||
+ state->errcode = IMAGING_CODEC_MEMORY;
|
||||
+ return -1;
|
||||
}
|
||||
_imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
|
||||
_imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
|
||||
@@ -178,7 +181,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
|
||||
if (c->rleoffset + c->rlelength > c->bufsize) {
|
||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
- return -1;
|
||||
+ goto sgi_finish_decode;
|
||||
}
|
||||
|
||||
/* row decompression */
|
||||
@@ -190,7 +193,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
}
|
||||
if (status == -1) {
|
||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
- return -1;
|
||||
+ goto sgi_finish_decode;
|
||||
} else if (status == 1) {
|
||||
goto sgi_finish_decode;
|
||||
}
|
||||
@@ -211,7 +214,8 @@ sgi_finish_decode: ;
|
||||
free(c->lengthtab);
|
||||
free(ptr);
|
||||
if (err != 0){
|
||||
- return err;
|
||||
+ state->errcode=err;
|
||||
+ return -1;
|
||||
}
|
||||
return state->count - c->bufsize;
|
||||
}
|
||||
--
|
||||
2.29.2
|
||||
|
@ -1,83 +0,0 @@
|
||||
From 1dd0fb64bd3cc221b5877ece4ce2f300245b638f Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Mon, 17 Feb 2020 14:19:32 +0100
|
||||
Subject: [PATCH] CVE-2020-5311
|
||||
|
||||
---
|
||||
src/libImaging/SgiRleDecode.c | 23 +++++++++++++++++------
|
||||
1 file changed, 17 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
||||
index 39e7b3a..6367ae7 100644
|
||||
--- a/src/libImaging/SgiRleDecode.c
|
||||
+++ b/src/libImaging/SgiRleDecode.c
|
||||
@@ -25,7 +25,7 @@ static void read4B(UINT32* dest, UINT8* buf)
|
||||
*dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
|
||||
}
|
||||
|
||||
-static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
||||
+static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
||||
{
|
||||
UINT8 pixel, count;
|
||||
|
||||
@@ -37,6 +37,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
||||
count = pixel & RLE_MAX_RUN;
|
||||
if (!count)
|
||||
return count;
|
||||
+ if (count > xsize) {
|
||||
+ return -1;
|
||||
+ }
|
||||
if (pixel & RLE_COPY_FLAG) {
|
||||
while(count--) {
|
||||
*dest = *src++;
|
||||
@@ -56,7 +59,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int expandrow2(UINT16* dest, UINT16* src, int n, int z)
|
||||
+static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
||||
{
|
||||
UINT8 pixel, count;
|
||||
|
||||
@@ -70,6 +73,9 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z)
|
||||
count = pixel & RLE_MAX_RUN;
|
||||
if (!count)
|
||||
return count;
|
||||
+ if (count > xsize) {
|
||||
+ return -1;
|
||||
+ }
|
||||
if (pixel & RLE_COPY_FLAG) {
|
||||
while(count--) {
|
||||
*dest = *src++;
|
||||
@@ -95,6 +101,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
UINT8 *ptr;
|
||||
SGISTATE *c;
|
||||
int err = 0;
|
||||
+ int status;
|
||||
|
||||
/* Get all data from File descriptor */
|
||||
c = (SGISTATE*)state->context;
|
||||
@@ -163,12 +170,16 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
|
||||
/* row decompression */
|
||||
if (c->bpc ==1) {
|
||||
- if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
|
||||
- goto sgi_finish_decode;
|
||||
+ status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
||||
}
|
||||
else {
|
||||
- if(expandrow2((UINT16*)&state->buffer[c->channo * 2], (UINT16*)&ptr[c->rleoffset], c->rlelength, im->bands))
|
||||
- goto sgi_finish_decode;
|
||||
+ status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
||||
+ }
|
||||
+ if (status == -1) {
|
||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
+ return -1;
|
||||
+ } else if (status == 1) {
|
||||
+ goto sgi_finish_decode;
|
||||
}
|
||||
|
||||
state->count += c->rlelength;
|
||||
--
|
||||
2.24.1
|
||||
|
@ -1,183 +0,0 @@
|
||||
From cc9658731ba1ea291f83ea959acc27ac28384a2c Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Fri, 14 Feb 2020 11:14:53 +0100
|
||||
Subject: [PATCH] Combined fix for CVE-2020-5312 and CVE-2019-16865
|
||||
|
||||
---
|
||||
src/PIL/GifImagePlugin.py | 1 +
|
||||
src/PIL/IcoImagePlugin.py | 1 +
|
||||
src/PIL/PsdImagePlugin.py | 6 ++++--
|
||||
src/PIL/TiffImagePlugin.py | 4 ++--
|
||||
src/libImaging/FliDecode.c | 14 +++++++++++---
|
||||
src/libImaging/PcxDecode.c | 8 ++++++++
|
||||
src/libImaging/RawDecode.c | 11 +++++++++--
|
||||
src/libImaging/SgiRleDecode.c | 5 +++++
|
||||
8 files changed, 41 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py
|
||||
index c01adff..99af4a5 100644
|
||||
--- a/src/PIL/GifImagePlugin.py
|
||||
+++ b/src/PIL/GifImagePlugin.py
|
||||
@@ -251,6 +251,7 @@ class GifImageFile(ImageFile.ImageFile):
|
||||
self.dispose = None
|
||||
elif self.disposal_method == 2:
|
||||
# replace with background colour
|
||||
+ Image._decompression_bomb_check(self.size)
|
||||
self.dispose = Image.core.fill("P", self.size,
|
||||
self.info["background"])
|
||||
else:
|
||||
diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
|
||||
index 428fdd4..2b6d1e0 100644
|
||||
--- a/src/PIL/IcoImagePlugin.py
|
||||
+++ b/src/PIL/IcoImagePlugin.py
|
||||
@@ -167,6 +167,7 @@ class IcoFile(object):
|
||||
else:
|
||||
# XOR + AND mask bmp frame
|
||||
im = BmpImagePlugin.DibImageFile(self.buf)
|
||||
+ Image._decompression_bomb_check(im.size)
|
||||
|
||||
# change tile dimension to only encompass XOR image
|
||||
im.size = (im.size[0], int(im.size[1] / 2))
|
||||
diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py
|
||||
index f6e04f7..fe2a2ff 100644
|
||||
--- a/src/PIL/PsdImagePlugin.py
|
||||
+++ b/src/PIL/PsdImagePlugin.py
|
||||
@@ -209,9 +209,11 @@ def _layerinfo(file):
|
||||
# skip over blend flags and extra information
|
||||
filler = read(12)
|
||||
name = ""
|
||||
- size = i32(read(4))
|
||||
+ size = i32(read(4)) # length of the extra data field
|
||||
combined = 0
|
||||
if size:
|
||||
+ data_end = file.tell() + size
|
||||
+
|
||||
length = i32(read(4))
|
||||
if length:
|
||||
mask_y = i32(read(4))
|
||||
@@ -233,7 +235,7 @@ def _layerinfo(file):
|
||||
name = read(length).decode('latin-1', 'replace')
|
||||
combined += length + 1
|
||||
|
||||
- file.seek(size - combined, 1)
|
||||
+ file.seek(data_end)
|
||||
layers.append((name, mode, (x0, y0, x1, y1)))
|
||||
|
||||
# get tiles
|
||||
diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
|
||||
index f903918..b9a1ef7 100644
|
||||
--- a/src/PIL/TiffImagePlugin.py
|
||||
+++ b/src/PIL/TiffImagePlugin.py
|
||||
@@ -1170,8 +1170,8 @@ class TiffImageFile(ImageFile.ImageFile):
|
||||
print("- fill_order:", fillorder)
|
||||
|
||||
# size
|
||||
- xsize = self.tag_v2.get(IMAGEWIDTH)
|
||||
- ysize = self.tag_v2.get(IMAGELENGTH)
|
||||
+ xsize = int(self.tag_v2.get(IMAGEWIDTH))
|
||||
+ ysize = int(self.tag_v2.get(IMAGELENGTH))
|
||||
self.size = xsize, ysize
|
||||
|
||||
if DEBUG:
|
||||
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
|
||||
index 6d22c6c..a99aca8 100644
|
||||
--- a/src/libImaging/FliDecode.c
|
||||
+++ b/src/libImaging/FliDecode.c
|
||||
@@ -30,7 +30,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||
{
|
||||
UINT8* ptr;
|
||||
int framesize;
|
||||
- int c, chunks;
|
||||
+ int c, chunks, advance;
|
||||
int l, lines;
|
||||
int i, j, x = 0, y, ymax;
|
||||
|
||||
@@ -59,10 +59,16 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||
|
||||
chunks = I16(ptr+6);
|
||||
ptr += 16;
|
||||
+ bytes -= 16;
|
||||
|
||||
/* Process subchunks */
|
||||
for (c = 0; c < chunks; c++) {
|
||||
- UINT8 *data = ptr + 6;
|
||||
+ UINT8* data;
|
||||
+ if (bytes < 10) {
|
||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
+ return -1;
|
||||
+ }
|
||||
+ data = ptr + 6;
|
||||
switch (I16(ptr+4)) {
|
||||
case 4: case 11:
|
||||
/* FLI COLOR chunk */
|
||||
@@ -198,7 +204,9 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||
state->errcode = IMAGING_CODEC_UNKNOWN;
|
||||
return -1;
|
||||
}
|
||||
- ptr += I32(ptr);
|
||||
+ advance = I32(ptr);
|
||||
+ ptr += advance;
|
||||
+ bytes -= advance;
|
||||
}
|
||||
|
||||
return -1; /* end of frame */
|
||||
diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
|
||||
index e5417f1..aaf5867 100644
|
||||
--- a/src/libImaging/PcxDecode.c
|
||||
+++ b/src/libImaging/PcxDecode.c
|
||||
@@ -22,6 +22,14 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||
UINT8 n;
|
||||
UINT8* ptr;
|
||||
|
||||
+ if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
|
||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
+ return -1;
|
||||
+ } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
|
||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
ptr = buf;
|
||||
|
||||
for (;;) {
|
||||
diff --git a/src/libImaging/RawDecode.c b/src/libImaging/RawDecode.c
|
||||
index 40c0cb7..d4b7994 100644
|
||||
--- a/src/libImaging/RawDecode.c
|
||||
+++ b/src/libImaging/RawDecode.c
|
||||
@@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||
|
||||
/* get size of image data and padding */
|
||||
state->bytes = (state->xsize * state->bits + 7) / 8;
|
||||
- rawstate->skip = (rawstate->stride) ?
|
||||
- rawstate->stride - state->bytes : 0;
|
||||
+ if (rawstate->stride) {
|
||||
+ rawstate->skip = rawstate->stride - state->bytes;
|
||||
+ if (rawstate->skip < 0) {
|
||||
+ state->errcode = IMAGING_CODEC_CONFIG;
|
||||
+ return -1;
|
||||
+ }
|
||||
+ } else {
|
||||
+ rawstate->skip = 0;
|
||||
+ }
|
||||
|
||||
/* check image orientation */
|
||||
if (state->ystep < 0) {
|
||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
||||
index 9d8e563..39e7b3a 100644
|
||||
--- a/src/libImaging/SgiRleDecode.c
|
||||
+++ b/src/libImaging/SgiRleDecode.c
|
||||
@@ -156,6 +156,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];
|
||||
c->rleoffset -= SGI_HEADER_SIZE;
|
||||
|
||||
+ if (c->rleoffset + c->rlelength > c->bufsize) {
|
||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
/* row decompression */
|
||||
if (c->bpc ==1) {
|
||||
if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
|
||||
--
|
||||
2.24.1
|
||||
|
@ -1,38 +0,0 @@
|
||||
From 697957b79a9473f0f643051265885fb048395127 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Wed, 4 Mar 2020 10:54:54 +0100
|
||||
Subject: [PATCH] CVE-2020-5313
|
||||
|
||||
---
|
||||
src/libImaging/FliDecode.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
|
||||
index a99aca8..72ba138 100644
|
||||
--- a/src/libImaging/FliDecode.c
|
||||
+++ b/src/libImaging/FliDecode.c
|
||||
@@ -40,8 +40,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||
return 0;
|
||||
|
||||
/* We don't decode anything unless we have a full chunk in the
|
||||
- input buffer (on the other hand, the Python part of the driver
|
||||
- makes sure this is always the case) */
|
||||
+ input buffer */
|
||||
|
||||
ptr = buf;
|
||||
|
||||
@@ -52,6 +51,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||
/* Make sure this is a frame chunk. The Python driver takes
|
||||
case of other chunk types. */
|
||||
|
||||
+ if (bytes < 8) {
|
||||
+ state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (I16(ptr+4) != 0xF1FA) {
|
||||
state->errcode = IMAGING_CODEC_UNKNOWN;
|
||||
return -1;
|
||||
--
|
||||
2.24.1
|
||||
|
@ -1,130 +0,0 @@
|
||||
From 9c781aa2020eef838284dcb348f4528f3c3cc1ab Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Mon, 14 Jun 2021 09:06:07 +0200
|
||||
Subject: [PATCH 1/5] CVE-2021-25287_25288
|
||||
|
||||
---
|
||||
src/libImaging/Jpeg2KDecode.c | 78 +++++++++++++++++++++++++++--------
|
||||
1 file changed, 61 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c
|
||||
index 9140e00..fdbd0c0 100644
|
||||
--- a/src/libImaging/Jpeg2KDecode.c
|
||||
+++ b/src/libImaging/Jpeg2KDecode.c
|
||||
@@ -110,6 +110,7 @@ j2ku_gray_l(opj_image_t *in, const JPEG2KTILEINFO *tileinfo,
|
||||
if (shift < 0)
|
||||
offset += 1 << (-shift - 1);
|
||||
|
||||
+ /* csiz*h*w + offset = tileinfo.datasize */
|
||||
switch (csiz) {
|
||||
case 1:
|
||||
for (y = 0; y < h; ++y) {
|
||||
@@ -557,8 +558,10 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
||||
opj_dparameters_t params;
|
||||
OPJ_COLOR_SPACE color_space;
|
||||
j2k_unpacker_t unpack = NULL;
|
||||
- size_t buffer_size = 0;
|
||||
- unsigned n;
|
||||
+ size_t buffer_size = 0, tile_bytes = 0;
|
||||
+ unsigned n, tile_height, tile_width;
|
||||
+ int total_component_width = 0;
|
||||
+
|
||||
|
||||
stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);
|
||||
|
||||
@@ -703,8 +706,62 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
||||
tile_info.x1 = (tile_info.x1 + correction) >> context->reduce;
|
||||
tile_info.y1 = (tile_info.y1 + correction) >> context->reduce;
|
||||
|
||||
+ /* Check the tile bounds; if the tile is outside the image area,
|
||||
+ or if it has a negative width or height (i.e. the coordinates are
|
||||
+ swapped), bail. */
|
||||
+ if (tile_info.x0 >= tile_info.x1
|
||||
+ || tile_info.y0 >= tile_info.y1
|
||||
+ || tile_info.x0 < image->x0
|
||||
+ || tile_info.y0 < image->y0
|
||||
+ || tile_info.x1 - image->x0 > im->xsize
|
||||
+ || tile_info.y1 - image->y0 > im->ysize) {
|
||||
+ state->errcode = IMAGING_CODEC_BROKEN;
|
||||
+ state->state = J2K_STATE_FAILED;
|
||||
+ goto quick_exit;
|
||||
+ }
|
||||
+
|
||||
+ if (tile_info.nb_comps != image->numcomps) {
|
||||
+ state->errcode = IMAGING_CODEC_BROKEN;
|
||||
+ state->state = J2K_STATE_FAILED;
|
||||
+ goto quick_exit;
|
||||
+ }
|
||||
+
|
||||
+ /* Sometimes the tile_info.datasize we get back from openjpeg
|
||||
+ is less than sum(comp_bytes)*w*h, and we overflow in the
|
||||
+ shuffle stage */
|
||||
+
|
||||
+ tile_width = tile_info.x1 - tile_info.x0;
|
||||
+ tile_height = tile_info.y1 - tile_info.y0;
|
||||
+
|
||||
+ /* Total component width = sum (component_width) e.g, it's
|
||||
+ legal for an la file to have a 1 byte width for l, and 4 for
|
||||
+ a. and then a malicious file could have a smaller tile_bytes
|
||||
+ */
|
||||
+
|
||||
+ for (n=0; n < tile_info.nb_comps; n++) {
|
||||
+ // see csize /acsize calcs
|
||||
+ int csize = (image->comps[n].prec + 7) >> 3;
|
||||
+ csize = (csize == 3) ? 4 : csize;
|
||||
+ total_component_width += csize;
|
||||
+ }
|
||||
+ if ((tile_width > UINT_MAX / total_component_width) ||
|
||||
+ (tile_height > UINT_MAX / total_component_width) ||
|
||||
+ (tile_width > UINT_MAX / (tile_height * total_component_width)) ||
|
||||
+ (tile_height > UINT_MAX / (tile_width * total_component_width))) {
|
||||
+
|
||||
+ state->errcode = IMAGING_CODEC_BROKEN;
|
||||
+ state->state = J2K_STATE_FAILED;
|
||||
+ goto quick_exit;
|
||||
+ }
|
||||
+
|
||||
+ tile_bytes = tile_width * tile_height * total_component_width;
|
||||
+
|
||||
+ if (tile_bytes > tile_info.data_size) {
|
||||
+ tile_info.data_size = tile_bytes;
|
||||
+ }
|
||||
+
|
||||
if (buffer_size < tile_info.data_size) {
|
||||
- /* malloc check ok, tile_info.data_size from openjpeg */
|
||||
+ /* malloc check ok, overflow and tile size sanity check above */
|
||||
UINT8 *new = realloc (state->buffer, tile_info.data_size);
|
||||
if (!new) {
|
||||
state->errcode = IMAGING_CODEC_MEMORY;
|
||||
@@ -715,6 +772,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
||||
buffer_size = tile_info.data_size;
|
||||
}
|
||||
|
||||
+
|
||||
if (!opj_decode_tile_data(codec,
|
||||
tile_info.tile_index,
|
||||
(OPJ_BYTE *)state->buffer,
|
||||
@@ -725,20 +783,6 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
|
||||
goto quick_exit;
|
||||
}
|
||||
|
||||
- /* Check the tile bounds; if the tile is outside the image area,
|
||||
- or if it has a negative width or height (i.e. the coordinates are
|
||||
- swapped), bail. */
|
||||
- if (tile_info.x0 >= tile_info.x1
|
||||
- || tile_info.y0 >= tile_info.y1
|
||||
- || tile_info.x0 < image->x0
|
||||
- || tile_info.y0 < image->y0
|
||||
- || tile_info.x1 - image->x0 > im->xsize
|
||||
- || tile_info.y1 - image->y0 > im->ysize) {
|
||||
- state->errcode = IMAGING_CODEC_BROKEN;
|
||||
- state->state = J2K_STATE_FAILED;
|
||||
- goto quick_exit;
|
||||
- }
|
||||
-
|
||||
unpack(image, &tile_info, state->buffer, im);
|
||||
}
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,28 +0,0 @@
|
||||
From c558baf01a97aed376a67ff4641f1c3c864ae3f0 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Thu, 8 Apr 2021 17:55:26 +0200
|
||||
Subject: [PATCH 1/4] CVE-2021-25290
|
||||
|
||||
---
|
||||
src/libImaging/TiffDecode.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
|
||||
index f292da3..d17b557 100644
|
||||
--- a/src/libImaging/TiffDecode.c
|
||||
+++ b/src/libImaging/TiffDecode.c
|
||||
@@ -36,6 +36,11 @@ tsize_t _tiffReadProc(thandle_t hdata, tdata_t buf, tsize_t size) {
|
||||
TRACE(("_tiffReadProc: %d \n", (int)size));
|
||||
dump_state(state);
|
||||
|
||||
+ if (state->loc > state->eof) {
|
||||
+ TIFFError("_tiffReadProc", "Invalid Read at loc %d, eof: %d", state->loc, state->eof);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
to_read = min(size, min(state->size, (tsize_t)state->eof) - (tsize_t)state->loc);
|
||||
TRACE(("to_read: %d\n", (int)to_read));
|
||||
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,27 +0,0 @@
|
||||
From f60b6ae79d3c2e759f54bb4acb62b4c49f89fef2 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Thu, 8 Apr 2021 17:59:21 +0200
|
||||
Subject: [PATCH 2/4] CVE-2021-25292
|
||||
|
||||
---
|
||||
src/PIL/PdfParser.py | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/PIL/PdfParser.py b/src/PIL/PdfParser.py
|
||||
index b6938fd..189aed8 100644
|
||||
--- a/src/PIL/PdfParser.py
|
||||
+++ b/src/PIL/PdfParser.py
|
||||
@@ -562,8 +562,9 @@ class PdfParser:
|
||||
whitespace_or_hex = br"[\000\011\012\014\015\0400-9a-fA-F]"
|
||||
whitespace_optional = whitespace + b"*"
|
||||
whitespace_mandatory = whitespace + b"+"
|
||||
+ whitespace_optional_no_nl = br"[\000\011\014\015\040]*" # no "\012" aka "\n"
|
||||
newline_only = br"[\r\n]+"
|
||||
- newline = whitespace_optional + newline_only + whitespace_optional
|
||||
+ newline = whitespace_optional_no_nl + newline_only + whitespace_optional_no_nl
|
||||
re_trailer_end = re.compile(whitespace_mandatory + br"trailer" + whitespace_optional + br"\<\<(.*\>\>)" + newline
|
||||
+ br"startxref" + newline + br"([0-9]+)" + newline + br"%%EOF" + whitespace_optional + br"$", re.DOTALL)
|
||||
re_trailer_prev = re.compile(whitespace_optional + br"trailer" + whitespace_optional + br"\<\<(.*?\>\>)" + newline
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,207 +0,0 @@
|
||||
From 1312c5426e7dd84e396ef2ff35aa09b64d92d382 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Fri, 9 Apr 2021 19:33:55 +0200
|
||||
Subject: [PATCH 3/4] CVE-2021-25293
|
||||
|
||||
---
|
||||
src/libImaging/SgiRleDecode.c | 88 +++++++++++++++++++++++++++++------
|
||||
1 file changed, 75 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
|
||||
index 2259159..85af456 100644
|
||||
--- a/src/libImaging/SgiRleDecode.c
|
||||
+++ b/src/libImaging/SgiRleDecode.c
|
||||
@@ -25,13 +25,60 @@ static void read4B(UINT32* dest, UINT8* buf)
|
||||
*dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
|
||||
}
|
||||
|
||||
-static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
||||
+/*
|
||||
+ SgiRleDecoding is done in a single channel row oriented set of RLE chunks.
|
||||
+
|
||||
+ * The file is arranged as
|
||||
+ - SGI Header
|
||||
+ - Rle Offset Table
|
||||
+ - Rle Length Table
|
||||
+ - Scanline Data
|
||||
+
|
||||
+ * Each RLE atom is c->bpc bytes wide (1 or 2)
|
||||
+
|
||||
+ * Each RLE Chunk is [specifier atom] [ 1 or n data atoms ]
|
||||
+
|
||||
+ * Copy Atoms are a byte with the high bit set, and the low 7 are
|
||||
+ the number of bytes to copy from the source to the
|
||||
+ destination. e.g.
|
||||
+
|
||||
+ CBBBBBBBB or 0CHLHLHLHLHLHL (B=byte, H/L = Hi low bytes)
|
||||
+
|
||||
+ * Run atoms do not have the high bit set, and the low 7 bits are
|
||||
+ the number of copies of the next atom to copy to the
|
||||
+ destination. e.g.:
|
||||
+
|
||||
+ RB -> BBBBB or RHL -> HLHLHLHLHL
|
||||
+
|
||||
+ The upshot of this is, there is no way to determine the required
|
||||
+ length of the input buffer from reloffset and rlelength without
|
||||
+ going through the data at that scan line.
|
||||
+
|
||||
+ Furthermore, there's no requirement that individual scan lines
|
||||
+ pointed to from the rleoffset table are in any sort of order or
|
||||
+ used only once, or even disjoint. There's also no requirement that
|
||||
+ all of the data in the scan line area of the image file be used
|
||||
+
|
||||
+ */
|
||||
+
|
||||
+static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize, UINT8 *end_of_buffer)
|
||||
{
|
||||
+ /*
|
||||
+ * n here is the number of rlechunks
|
||||
+ * z is the number of channels, for calculating the interleave
|
||||
+ * offset to go to RGBA style pixels
|
||||
+ * xsize is the row width
|
||||
+ * end_of_buffer is the address of the end of the input buffer
|
||||
+ */
|
||||
+
|
||||
UINT8 pixel, count;
|
||||
int x = 0;
|
||||
|
||||
for (;n > 0; n--)
|
||||
{
|
||||
+ if (src > end_of_buffer) {
|
||||
+ return -1;
|
||||
+ }
|
||||
pixel = *src++;
|
||||
if (n == 1 && pixel != 0)
|
||||
return n;
|
||||
@@ -43,6 +90,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
||||
}
|
||||
x += count;
|
||||
if (pixel & RLE_COPY_FLAG) {
|
||||
+ if (src + count > end_of_buffer) {
|
||||
+ return -1;
|
||||
+ }
|
||||
while(count--) {
|
||||
*dest = *src++;
|
||||
dest += z;
|
||||
@@ -50,6 +100,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
||||
|
||||
}
|
||||
else {
|
||||
+ if (src > end_of_buffer) {
|
||||
+ return -1;
|
||||
+ }
|
||||
pixel = *src++;
|
||||
while (count--) {
|
||||
*dest = pixel;
|
||||
@@ -61,7 +114,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
||||
+static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize, UINT8 *end_of_buffer)
|
||||
{
|
||||
UINT8 pixel, count;
|
||||
|
||||
@@ -69,6 +122,9 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
||||
|
||||
for (;n > 0; n--)
|
||||
{
|
||||
+ if (src + 1 > end_of_buffer) {
|
||||
+ return -1;
|
||||
+ }
|
||||
pixel = ((UINT8*)src)[1];
|
||||
++src;
|
||||
if (n == 1 && pixel != 0)
|
||||
@@ -81,12 +137,18 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
|
||||
}
|
||||
x += count;
|
||||
if (pixel & RLE_COPY_FLAG) {
|
||||
+ if (src + 2 * count > end_of_buffer) {
|
||||
+ return -1;
|
||||
+ }
|
||||
while(count--) {
|
||||
*dest = *src++;
|
||||
dest += z;
|
||||
}
|
||||
}
|
||||
else {
|
||||
+ if (src + 2 > end_of_buffer) {
|
||||
+ return -1;
|
||||
+ }
|
||||
while (count--) {
|
||||
*dest = *src;
|
||||
dest += z;
|
||||
@@ -136,8 +198,10 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
return -1;
|
||||
}
|
||||
_imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
|
||||
- _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
|
||||
-
|
||||
+ if (_imaging_read_pyFd(state->fd, (char *)ptr, c->bufsize) != c->bufsize) {
|
||||
+ state->errcode = IMAGING_CODEC_UNKNOWN;
|
||||
+ return -1;
|
||||
+ }
|
||||
|
||||
/* decoder initialization */
|
||||
state->count = 0;
|
||||
@@ -168,8 +232,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
for (c->tabindex = 0, c->bufindex = c->tablen * sizeof(UINT32); c->tabindex < c->tablen; c->tabindex++, c->bufindex+=4)
|
||||
read4B(&c->lengthtab[c->tabindex], &ptr[c->bufindex]);
|
||||
|
||||
- state->count += c->tablen * sizeof(UINT32) * 2;
|
||||
-
|
||||
/* read compressed rows */
|
||||
for (c->rowno = 0; c->rowno < im->ysize; c->rowno++, state->y += state->ystep)
|
||||
{
|
||||
@@ -177,19 +239,21 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
{
|
||||
c->rleoffset = c->starttab[c->rowno + c->channo * im->ysize];
|
||||
c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];
|
||||
- c->rleoffset -= SGI_HEADER_SIZE;
|
||||
|
||||
- if (c->rleoffset + c->rlelength > c->bufsize) {
|
||||
+ // Check for underflow of rleoffset-SGI_HEADER_SIZE
|
||||
+ if (c->rleoffset < SGI_HEADER_SIZE) {
|
||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
goto sgi_finish_decode;
|
||||
}
|
||||
|
||||
+ c->rleoffset -= SGI_HEADER_SIZE;
|
||||
+
|
||||
/* row decompression */
|
||||
if (c->bpc ==1) {
|
||||
- status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
||||
+ status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize, &ptr[c->bufsize-1]);
|
||||
}
|
||||
else {
|
||||
- status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
|
||||
+ status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize, &ptr[c->bufsize-1]);
|
||||
}
|
||||
if (status == -1) {
|
||||
state->errcode = IMAGING_CODEC_OVERRUN;
|
||||
@@ -198,7 +262,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
goto sgi_finish_decode;
|
||||
}
|
||||
|
||||
- state->count += c->rlelength;
|
||||
}
|
||||
|
||||
/* store decompressed data in image */
|
||||
@@ -206,7 +269,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
|
||||
|
||||
}
|
||||
|
||||
- c->bufsize++;
|
||||
|
||||
sgi_finish_decode: ;
|
||||
|
||||
@@ -217,5 +279,5 @@ sgi_finish_decode: ;
|
||||
state->errcode=err;
|
||||
return -1;
|
||||
}
|
||||
- return state->count - c->bufsize;
|
||||
+ return 0;
|
||||
}
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,58 +0,0 @@
|
||||
From 357fef8b4bd076e3a15e7ffc58a475626794c7e3 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Fri, 9 Apr 2021 19:41:58 +0200
|
||||
Subject: [PATCH 4/4] CVE-2021-27921_27922_27923
|
||||
|
||||
---
|
||||
src/PIL/BlpImagePlugin.py | 1 +
|
||||
src/PIL/IcnsImagePlugin.py | 2 ++
|
||||
src/PIL/IcoImagePlugin.py | 1 +
|
||||
3 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
|
||||
index ec358db..d56d46c 100644
|
||||
--- a/src/PIL/BlpImagePlugin.py
|
||||
+++ b/src/PIL/BlpImagePlugin.py
|
||||
@@ -362,6 +362,7 @@ class BLP1Decoder(_BLPBaseDecoder):
|
||||
data = jpeg_header + data
|
||||
data = BytesIO(data)
|
||||
image = JpegImageFile(data)
|
||||
+ Image._decompression_bomb_check(image.size)
|
||||
self.tile = image.tile # :/
|
||||
self.fd = image.fp
|
||||
self.mode = image.mode
|
||||
diff --git a/src/PIL/IcnsImagePlugin.py b/src/PIL/IcnsImagePlugin.py
|
||||
index b382a73..2292584 100644
|
||||
--- a/src/PIL/IcnsImagePlugin.py
|
||||
+++ b/src/PIL/IcnsImagePlugin.py
|
||||
@@ -110,6 +110,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
|
||||
if sig[:8] == b'\x89PNG\x0d\x0a\x1a\x0a':
|
||||
fobj.seek(start)
|
||||
im = PngImagePlugin.PngImageFile(fobj)
|
||||
+ Image._decompression_bomb_check(im.size)
|
||||
return {"RGBA": im}
|
||||
elif sig[:4] == b'\xff\x4f\xff\x51' \
|
||||
or sig[:4] == b'\x0d\x0a\x87\x0a' \
|
||||
@@ -122,6 +123,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
|
||||
jp2kstream = fobj.read(length)
|
||||
f = io.BytesIO(jp2kstream)
|
||||
im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
|
||||
+ Image._decompression_bomb_check(im.size)
|
||||
if im.mode != 'RGBA':
|
||||
im = im.convert('RGBA')
|
||||
return {"RGBA": im}
|
||||
diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
|
||||
index 2b6d1e0..30412ad 100644
|
||||
--- a/src/PIL/IcoImagePlugin.py
|
||||
+++ b/src/PIL/IcoImagePlugin.py
|
||||
@@ -164,6 +164,7 @@ class IcoFile(object):
|
||||
if data[:8] == PngImagePlugin._MAGIC:
|
||||
# png frame
|
||||
im = PngImagePlugin.PngImageFile(self.buf)
|
||||
+ Image._decompression_bomb_check(im.size)
|
||||
else:
|
||||
# XOR + AND mask bmp frame
|
||||
im = BmpImagePlugin.DibImageFile(self.buf)
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,146 +0,0 @@
|
||||
From 7fe3dff241c11206616bf6229be898854ce0d066 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Mon, 14 Jun 2021 11:33:36 +0200
|
||||
Subject: [PATCH] CVE-2021-28675
|
||||
|
||||
---
|
||||
src/PIL/ImageFile.py | 12 ++++++++++--
|
||||
src/PIL/PsdImagePlugin.py | 33 +++++++++++++++++++++++----------
|
||||
2 files changed, 33 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/PIL/ImageFile.py b/src/PIL/ImageFile.py
|
||||
index 1a3c4aa..2cef9ee 100644
|
||||
--- a/src/PIL/ImageFile.py
|
||||
+++ b/src/PIL/ImageFile.py
|
||||
@@ -522,12 +522,18 @@ def _safe_read(fp, size):
|
||||
|
||||
:param fp: File handle. Must implement a <b>read</b> method.
|
||||
:param size: Number of bytes to read.
|
||||
- :returns: A string containing up to <i>size</i> bytes of data.
|
||||
+ :returns: A string containing <i>size</i> bytes of data.
|
||||
+
|
||||
+ Raises an OSError if the file is truncated and the read can not be completed
|
||||
+
|
||||
"""
|
||||
if size <= 0:
|
||||
return b""
|
||||
if size <= SAFEBLOCK:
|
||||
- return fp.read(size)
|
||||
+ data = fp.read(size)
|
||||
+ if len(data) < size:
|
||||
+ raise OSError("Truncated File Read")
|
||||
+ return data
|
||||
data = []
|
||||
while size > 0:
|
||||
block = fp.read(min(size, SAFEBLOCK))
|
||||
@@ -535,6 +541,8 @@ def _safe_read(fp, size):
|
||||
break
|
||||
data.append(block)
|
||||
size -= len(block)
|
||||
+ if sum(len(d) for d in data) < size:
|
||||
+ raise OSError("Truncated File Read")
|
||||
return b"".join(data)
|
||||
|
||||
|
||||
diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py
|
||||
index fe2a2ff..add9996 100644
|
||||
--- a/src/PIL/PsdImagePlugin.py
|
||||
+++ b/src/PIL/PsdImagePlugin.py
|
||||
@@ -18,6 +18,8 @@
|
||||
|
||||
__version__ = "0.4"
|
||||
|
||||
+import io
|
||||
+
|
||||
from . import Image, ImageFile, ImagePalette
|
||||
from ._binary import i8, i16be as i16, i32be as i32
|
||||
|
||||
@@ -114,7 +116,8 @@ class PsdImageFile(ImageFile.ImageFile):
|
||||
end = self.fp.tell() + size
|
||||
size = i32(read(4))
|
||||
if size:
|
||||
- self.layers = _layerinfo(self.fp)
|
||||
+ _layer_data = io.BytesIO(ImageFile._safe_read(self.fp, size))
|
||||
+ self.layers = _layerinfo(_layer_data, size)
|
||||
self.fp.seek(end)
|
||||
|
||||
#
|
||||
@@ -164,11 +167,20 @@ class PsdImageFile(ImageFile.ImageFile):
|
||||
Image.Image.load(self)
|
||||
|
||||
|
||||
-def _layerinfo(file):
|
||||
+def _layerinfo(fp, ct_bytes):
|
||||
# read layerinfo block
|
||||
layers = []
|
||||
- read = file.read
|
||||
- for i in range(abs(i16(read(2)))):
|
||||
+
|
||||
+ def read(size):
|
||||
+ return ImageFile._safe_read(fp, size)
|
||||
+
|
||||
+ ct = i16(read(2))
|
||||
+
|
||||
+ # sanity check
|
||||
+ if ct_bytes < (abs(ct) * 20):
|
||||
+ raise SyntaxError("Layer block too short for number of layers requested")
|
||||
+
|
||||
+ for i in range(abs(ct)):
|
||||
|
||||
# bounding box
|
||||
y0 = i32(read(4))
|
||||
@@ -179,7 +191,8 @@ def _layerinfo(file):
|
||||
# image info
|
||||
info = []
|
||||
mode = []
|
||||
- types = list(range(i16(read(2))))
|
||||
+ ct_types = i16(read(2))
|
||||
+ types = list(range(ct_types))
|
||||
if len(types) > 4:
|
||||
continue
|
||||
|
||||
@@ -212,7 +225,7 @@ def _layerinfo(file):
|
||||
size = i32(read(4)) # length of the extra data field
|
||||
combined = 0
|
||||
if size:
|
||||
- data_end = file.tell() + size
|
||||
+ data_end = fp.tell() + size
|
||||
|
||||
length = i32(read(4))
|
||||
if length:
|
||||
@@ -220,12 +233,12 @@ def _layerinfo(file):
|
||||
mask_x = i32(read(4))
|
||||
mask_h = i32(read(4)) - mask_y
|
||||
mask_w = i32(read(4)) - mask_x
|
||||
- file.seek(length - 16, 1)
|
||||
+ fp.seek(length - 16, 1)
|
||||
combined += length + 4
|
||||
|
||||
length = i32(read(4))
|
||||
if length:
|
||||
- file.seek(length, 1)
|
||||
+ fp.seek(length, 1)
|
||||
combined += length + 4
|
||||
|
||||
length = i8(read(1))
|
||||
@@ -235,7 +248,7 @@ def _layerinfo(file):
|
||||
name = read(length).decode('latin-1', 'replace')
|
||||
combined += length + 1
|
||||
|
||||
- file.seek(data_end)
|
||||
+ fp.seek(data_end)
|
||||
layers.append((name, mode, (x0, y0, x1, y1)))
|
||||
|
||||
# get tiles
|
||||
@@ -243,7 +256,7 @@ def _layerinfo(file):
|
||||
for name, mode, bbox in layers:
|
||||
tile = []
|
||||
for m in mode:
|
||||
- t = _maketile(file, m, bbox, 1)
|
||||
+ t = _maketile(fp, m, bbox, 1)
|
||||
if t:
|
||||
tile.extend(t)
|
||||
layers[i] = name, mode, bbox, tile
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,28 +0,0 @@
|
||||
From cedb7ba568161021bc2f2f48af95fcf33e262f77 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Mon, 14 Jun 2021 09:30:01 +0200
|
||||
Subject: [PATCH 4/5] CVE-2021-28676
|
||||
|
||||
---
|
||||
src/libImaging/FliDecode.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
|
||||
index 72ba138..9181b8b 100644
|
||||
--- a/src/libImaging/FliDecode.c
|
||||
+++ b/src/libImaging/FliDecode.c
|
||||
@@ -209,6 +209,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
|
||||
return -1;
|
||||
}
|
||||
advance = I32(ptr);
|
||||
+ if (advance == 0 ) {
|
||||
+ // If there's no advance, we're in in infinite loop
|
||||
+ state->errcode = IMAGING_CODEC_BROKEN;
|
||||
+ return -1;
|
||||
+ }
|
||||
ptr += advance;
|
||||
bytes -= advance;
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 8ad7b436649c424e22689a8a874c1b0cd7c1c0fc Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Mon, 14 Jun 2021 09:22:45 +0200
|
||||
Subject: [PATCH 3/5] CVE-2021-28677
|
||||
|
||||
---
|
||||
src/PIL/EpsImagePlugin.py | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/PIL/EpsImagePlugin.py b/src/PIL/EpsImagePlugin.py
|
||||
index b503487..5f5af15 100644
|
||||
--- a/src/PIL/EpsImagePlugin.py
|
||||
+++ b/src/PIL/EpsImagePlugin.py
|
||||
@@ -167,12 +167,12 @@ class PSFile(object):
|
||||
self.fp.seek(offset, whence)
|
||||
|
||||
def readline(self):
|
||||
- s = self.char or b""
|
||||
+ s = [self.char or b""]
|
||||
self.char = None
|
||||
|
||||
c = self.fp.read(1)
|
||||
- while c not in b"\r\n":
|
||||
- s = s + c
|
||||
+ while (c not in b"\r\n") and len(c):
|
||||
+ s.append(c)
|
||||
c = self.fp.read(1)
|
||||
|
||||
self.char = self.fp.read(1)
|
||||
@@ -180,7 +180,7 @@ class PSFile(object):
|
||||
if self.char in b"\r\n":
|
||||
self.char = None
|
||||
|
||||
- return s.decode('latin-1')
|
||||
+ return b"".join(s).decode("latin-1")
|
||||
|
||||
|
||||
def _accept(prefix):
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,122 +0,0 @@
|
||||
From eaef29c3696cd021147e692360997f4c12377c60 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Mon, 14 Jun 2021 09:19:50 +0200
|
||||
Subject: [PATCH 2/5] CVE-2021-28678
|
||||
|
||||
---
|
||||
src/PIL/BlpImagePlugin.py | 43 +++++++++++++++++++++------------------
|
||||
1 file changed, 23 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
|
||||
index d56d46c..846c83d 100644
|
||||
--- a/src/PIL/BlpImagePlugin.py
|
||||
+++ b/src/PIL/BlpImagePlugin.py
|
||||
@@ -294,33 +294,36 @@ class _BLPBaseDecoder(ImageFile.PyDecoder):
|
||||
raise IOError("Truncated Blp file")
|
||||
return 0, 0
|
||||
|
||||
+ def _safe_read(self, length):
|
||||
+ return ImageFile._safe_read(self.fd, length)
|
||||
+
|
||||
def _read_palette(self):
|
||||
ret = []
|
||||
for i in range(256):
|
||||
try:
|
||||
- b, g, r, a = struct.unpack("<4B", self.fd.read(4))
|
||||
+ b, g, r, a = struct.unpack("<4B", self._safe_read(4))
|
||||
except struct.error:
|
||||
break
|
||||
ret.append((b, g, r, a))
|
||||
return ret
|
||||
|
||||
def _read_blp_header(self):
|
||||
- self._blp_compression, = struct.unpack("<i", self.fd.read(4))
|
||||
+ self._blp_compression, = struct.unpack("<i", self._safe_read(4))
|
||||
|
||||
- self._blp_encoding, = struct.unpack("<b", self.fd.read(1))
|
||||
- self._blp_alpha_depth, = struct.unpack("<b", self.fd.read(1))
|
||||
- self._blp_alpha_encoding, = struct.unpack("<b", self.fd.read(1))
|
||||
- self._blp_mips, = struct.unpack("<b", self.fd.read(1))
|
||||
+ self._blp_encoding, = struct.unpack("<b", self._safe_read(1))
|
||||
+ self._blp_alpha_depth, = struct.unpack("<b", self._safe_read(1))
|
||||
+ self._blp_alpha_encoding, = struct.unpack("<b", self._safe_read(1))
|
||||
+ self._blp_mips, = struct.unpack("<b", self._safe_read(1))
|
||||
|
||||
- self.size = struct.unpack("<II", self.fd.read(8))
|
||||
+ self.size = struct.unpack("<II", self._safe_read(8))
|
||||
|
||||
if self.magic == b"BLP1":
|
||||
# Only present for BLP1
|
||||
- self._blp_encoding, = struct.unpack("<i", self.fd.read(4))
|
||||
- self._blp_subtype, = struct.unpack("<i", self.fd.read(4))
|
||||
+ self._blp_encoding, = struct.unpack("<i", self._safe_read(4))
|
||||
+ self._blp_subtype, = struct.unpack("<i", self._safe_read(4))
|
||||
|
||||
- self._blp_offsets = struct.unpack("<16I", self.fd.read(16 * 4))
|
||||
- self._blp_lengths = struct.unpack("<16I", self.fd.read(16 * 4))
|
||||
+ self._blp_offsets = struct.unpack("<16I", self._safe_read(16 * 4))
|
||||
+ self._blp_lengths = struct.unpack("<16I", self._safe_read(16 * 4))
|
||||
|
||||
|
||||
class BLP1Decoder(_BLPBaseDecoder):
|
||||
@@ -333,7 +336,7 @@ class BLP1Decoder(_BLPBaseDecoder):
|
||||
if self._blp_encoding in (4, 5):
|
||||
data = bytearray()
|
||||
palette = self._read_palette()
|
||||
- _data = BytesIO(self.fd.read(self._blp_lengths[0]))
|
||||
+ _data = BytesIO(self._safe_read(self._blp_lengths[0]))
|
||||
while True:
|
||||
try:
|
||||
offset, = struct.unpack("<B", _data.read(1))
|
||||
@@ -355,10 +358,10 @@ class BLP1Decoder(_BLPBaseDecoder):
|
||||
def _decode_jpeg_stream(self):
|
||||
from PIL.JpegImagePlugin import JpegImageFile
|
||||
|
||||
- jpeg_header_size, = struct.unpack("<I", self.fd.read(4))
|
||||
- jpeg_header = self.fd.read(jpeg_header_size)
|
||||
- self.fd.read(self._blp_offsets[0] - self.fd.tell()) # What IS this?
|
||||
- data = self.fd.read(self._blp_lengths[0])
|
||||
+ jpeg_header_size, = struct.unpack("<I", self._safe_read(4))
|
||||
+ jpeg_header = self._safe_read(jpeg_header_size)
|
||||
+ self._safe_read(self._blp_offsets[0] - self.fd.tell()) # What IS this?
|
||||
+ data = self._safe_read(self._blp_lengths[0])
|
||||
data = jpeg_header + data
|
||||
data = BytesIO(data)
|
||||
image = JpegImageFile(data)
|
||||
@@ -380,7 +383,7 @@ class BLP2Decoder(_BLPBaseDecoder):
|
||||
# Uncompressed or DirectX compression
|
||||
|
||||
if self._blp_encoding == BLP_ENCODING_UNCOMPRESSED:
|
||||
- _data = BytesIO(self.fd.read(self._blp_lengths[0]))
|
||||
+ _data = BytesIO(self._safe_read(self._blp_lengths[0]))
|
||||
while True:
|
||||
try:
|
||||
offset, = struct.unpack("<B", _data.read(1))
|
||||
@@ -394,7 +397,7 @@ class BLP2Decoder(_BLPBaseDecoder):
|
||||
linesize = (self.size[0] + 3) // 4 * 8
|
||||
for yb in range((self.size[1] + 3) // 4):
|
||||
for d in decode_dxt1(
|
||||
- self.fd.read(linesize),
|
||||
+ self._safe_read(linesize),
|
||||
alpha=bool(self._blp_alpha_depth)
|
||||
):
|
||||
data += d
|
||||
@@ -402,13 +405,13 @@ class BLP2Decoder(_BLPBaseDecoder):
|
||||
elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT3:
|
||||
linesize = (self.size[0] + 3) // 4 * 16
|
||||
for yb in range((self.size[1] + 3) // 4):
|
||||
- for d in decode_dxt3(self.fd.read(linesize)):
|
||||
+ for d in decode_dxt3(self._safe_read(linesize)):
|
||||
data += d
|
||||
|
||||
elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT5:
|
||||
linesize = (self.size[0] + 3) // 4 * 16
|
||||
for yb in range((self.size[1] + 3) // 4):
|
||||
- for d in decode_dxt5(self.fd.read(linesize)):
|
||||
+ for d in decode_dxt5(self._safe_read(linesize)):
|
||||
data += d
|
||||
else:
|
||||
raise BLPFormatError("Unsupported alpha encoding %r" % (
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,33 +0,0 @@
|
||||
diff --git a/src/libImaging/Convert.c b/src/libImaging/Convert.c
|
||||
index b3e48e5..cfed8ad 100644
|
||||
--- a/src/libImaging/Convert.c
|
||||
+++ b/src/libImaging/Convert.c
|
||||
@@ -1338,9 +1338,8 @@ convert(Imaging imOut, Imaging imIn, const char *mode,
|
||||
return (Imaging) ImagingError_ValueError("conversion not supported");
|
||||
#else
|
||||
{
|
||||
- static char buf[256];
|
||||
- /* FIXME: may overflow if mode is too large */
|
||||
- sprintf(buf, "conversion from %s to %s not supported", imIn->mode, mode);
|
||||
+ static char buf[100];
|
||||
+ snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode);
|
||||
return (Imaging) ImagingError_ValueError(buf);
|
||||
}
|
||||
#endif
|
||||
@@ -1394,9 +1393,13 @@ ImagingConvertTransparent(Imaging imIn, const char *mode,
|
||||
}
|
||||
#else
|
||||
{
|
||||
- static char buf[256];
|
||||
- /* FIXME: may overflow if mode is too large */
|
||||
- sprintf(buf, "conversion from %s to %s not supported in convert_transparent", imIn->mode, mode);
|
||||
+ static char buf[100];
|
||||
+ snprintf(
|
||||
+ buf,
|
||||
+ 100,
|
||||
+ "conversion from %.10s to %.10s not supported in convert_transparent",
|
||||
+ imIn->mode,
|
||||
+ mode);
|
||||
return (Imaging) ImagingError_ValueError(buf);
|
||||
}
|
||||
#endif
|
@ -1,69 +0,0 @@
|
||||
diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
|
||||
index 98a6d34..733fd29 100644
|
||||
--- a/Tests/test_imagepath.py
|
||||
+++ b/Tests/test_imagepath.py
|
||||
@@ -67,6 +67,11 @@ class TestImagePath(PillowTestCase):
|
||||
p = ImagePath.Path(arr.tostring())
|
||||
self.assertEqual(list(p), [(0.0, 1.0)])
|
||||
|
||||
+ def test_getbbox(self):
|
||||
+ for coords in (0,1):
|
||||
+ p = ImagePath.Path(coords)
|
||||
+ self.assertEqual(p.getbbox(), (0.0, 0.0, 0.0, 0.0))
|
||||
+
|
||||
def test_overflow_segfault(self):
|
||||
# Some Pythons fail getting the argument as an integer, and it falls
|
||||
# through to the sequence. Seeing this on 32-bit Windows.
|
||||
diff --git a/src/path.c b/src/path.c
|
||||
index eb1e065..5215f87 100644
|
||||
--- a/src/path.c
|
||||
+++ b/src/path.c
|
||||
@@ -62,7 +62,7 @@ alloc_array(Py_ssize_t count)
|
||||
PyErr_NoMemory();
|
||||
return NULL;
|
||||
}
|
||||
- xy = malloc(2 * count * sizeof(double) + 1);
|
||||
+ xy = calloc(2 * count + 1, sizeof(double));
|
||||
if (!xy)
|
||||
PyErr_NoMemory();
|
||||
return xy;
|
||||
@@ -330,18 +330,27 @@ path_getbbox(PyPathObject* self, PyObject* args)
|
||||
|
||||
xy = self->xy;
|
||||
|
||||
- x0 = x1 = xy[0];
|
||||
- y0 = y1 = xy[1];
|
||||
-
|
||||
- for (i = 1; i < self->count; i++) {
|
||||
- if (xy[i+i] < x0)
|
||||
- x0 = xy[i+i];
|
||||
- if (xy[i+i] > x1)
|
||||
- x1 = xy[i+i];
|
||||
- if (xy[i+i+1] < y0)
|
||||
- y0 = xy[i+i+1];
|
||||
- if (xy[i+i+1] > y1)
|
||||
- y1 = xy[i+i+1];
|
||||
+ if (self->count == 0) {
|
||||
+ x0 = x1 = 0;
|
||||
+ y0 = y1 = 0;
|
||||
+ } else {
|
||||
+ x0 = x1 = xy[0];
|
||||
+ y0 = y1 = xy[1];
|
||||
+
|
||||
+ for (i = 1; i < self->count; i++) {
|
||||
+ if (xy[i + i] < x0) {
|
||||
+ x0 = xy[i + i];
|
||||
+ }
|
||||
+ if (xy[i + i] > x1) {
|
||||
+ x1 = xy[i + i];
|
||||
+ }
|
||||
+ if (xy[i + i + 1] < y0) {
|
||||
+ y0 = xy[i + i + 1];
|
||||
+ }
|
||||
+ if (xy[i + i + 1] > y1) {
|
||||
+ y1 = xy[i + i + 1];
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
return Py_BuildValue("dddd", x0, y0, x1, y1);
|
@ -1,41 +0,0 @@
|
||||
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
|
||||
index 2329b74..d3b7ba3 100644
|
||||
--- a/Tests/test_imagemath.py
|
||||
+++ b/Tests/test_imagemath.py
|
||||
@@ -58,6 +58,12 @@ class TestImageMath(PillowTestCase):
|
||||
self.assertEqual(pixel(
|
||||
ImageMath.eval("float(B)**33", images)), "F 8589934592.0")
|
||||
|
||||
+ def test_prevent_exec(self):
|
||||
+ self.assertRaises(ValueError, ImageMath.eval("exec('pass')"))
|
||||
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
|
||||
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
|
||||
+
|
||||
+
|
||||
def test_logical(self):
|
||||
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
|
||||
self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2")
|
||||
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
|
||||
index c5bea70..13839e4 100644
|
||||
--- a/src/PIL/ImageMath.py
|
||||
+++ b/src/PIL/ImageMath.py
|
||||
@@ -263,7 +263,18 @@ def eval(expression, _dict={}, **kw):
|
||||
if hasattr(v, "im"):
|
||||
args[k] = _Operand(v)
|
||||
|
||||
- out = builtins.eval(expression, args)
|
||||
+ compiled_code = compile(expression, "<string>", "eval")
|
||||
+ def scan(code):
|
||||
+ for const in code.co_consts:
|
||||
+ if type(const) == type(compiled_code):
|
||||
+ scan(const)
|
||||
+
|
||||
+ for name in code.co_names:
|
||||
+ if name not in args and name != "abs":
|
||||
+ raise ValueError(f"'{name}' not allowed")
|
||||
+
|
||||
+ scan(compiled_code)
|
||||
+ out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
|
||||
try:
|
||||
return out.im
|
||||
except AttributeError:
|
@ -1,91 +0,0 @@
|
||||
From fc055dbef875b477c27196e10c61f98aeb23d62c Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Fri, 10 Nov 2023 15:39:41 +0100
|
||||
Subject: [PATCH] CVE-2023-44271
|
||||
|
||||
---
|
||||
docs/reference/ImageFont.rst | 9 +++++++++
|
||||
src/PIL/ImageFont.py | 12 ++++++++++++
|
||||
2 files changed, 21 insertions(+)
|
||||
|
||||
diff --git a/docs/reference/ImageFont.rst b/docs/reference/ImageFont.rst
|
||||
index 76fde44..21b9d9d 100644
|
||||
--- a/docs/reference/ImageFont.rst
|
||||
+++ b/docs/reference/ImageFont.rst
|
||||
@@ -17,6 +17,15 @@ OpenType fonts (as well as other font formats supported by the FreeType
|
||||
library). For earlier versions, TrueType support is only available as part of
|
||||
the imToolkit package
|
||||
|
||||
+.. warning::
|
||||
+ To protect against potential DOS attacks when using arbitrary strings as
|
||||
+ text input, Pillow will raise a ``ValueError`` if the number of characters
|
||||
+ is over a certain limit, :py:data:`MAX_STRING_LENGTH`.
|
||||
+
|
||||
+ This threshold can be changed by setting
|
||||
+ :py:data:`MAX_STRING_LENGTH`. It can be disabled by setting
|
||||
+ ``ImageFont.MAX_STRING_LENGTH = None``.
|
||||
+
|
||||
Example
|
||||
-------
|
||||
|
||||
diff --git a/src/PIL/ImageFont.py b/src/PIL/ImageFont.py
|
||||
index f3b55e0..7e7b62f 100644
|
||||
--- a/src/PIL/ImageFont.py
|
||||
+++ b/src/PIL/ImageFont.py
|
||||
@@ -39,6 +39,8 @@ class _imagingft_not_installed(object):
|
||||
def __getattr__(self, id):
|
||||
raise ImportError("The _imagingft C module is not installed")
|
||||
|
||||
+MAX_STRING_LENGTH = 1_000_000
|
||||
+
|
||||
|
||||
try:
|
||||
from . import _imagingft as core
|
||||
@@ -46,6 +48,12 @@ except ImportError:
|
||||
core = _imagingft_not_installed()
|
||||
|
||||
|
||||
+def _string_length_check(text):
|
||||
+ if MAX_STRING_LENGTH is not None and len(text) > MAX_STRING_LENGTH:
|
||||
+ msg = "too many characters in string"
|
||||
+ raise ValueError(msg)
|
||||
+
|
||||
+
|
||||
# FIXME: add support for pilfont2 format (see FontFile.py)
|
||||
|
||||
# --------------------------------------------------------------------
|
||||
@@ -109,6 +117,7 @@ class ImageFont(object):
|
||||
self.font = Image.core.font(image.im, data)
|
||||
|
||||
def getsize(self, text, *args, **kwargs):
|
||||
+ _string_length_check(text)
|
||||
return self.font.getsize(text)
|
||||
|
||||
def getmask(self, text, mode="", *args, **kwargs):
|
||||
@@ -154,6 +163,7 @@ class FreeTypeFont(object):
|
||||
return self.font.ascent, self.font.descent
|
||||
|
||||
def getsize(self, text, direction=None, features=None):
|
||||
+ _string_length_check(text)
|
||||
size, offset = self.font.getsize(text, direction, features)
|
||||
return (size[0] + offset[0], size[1] + offset[1])
|
||||
|
||||
@@ -164,6 +174,7 @@ class FreeTypeFont(object):
|
||||
return self.getmask2(text, mode, direction=direction, features=features)[0]
|
||||
|
||||
def getmask2(self, text, mode="", fill=Image.core.fill, direction=None, features=None, *args, **kwargs):
|
||||
+ _string_length_check(text)
|
||||
size, offset = self.font.getsize(text, direction, features)
|
||||
im = fill("L", size, 0)
|
||||
self.font.render(text, im.id, mode == "1", direction, features)
|
||||
@@ -205,6 +216,7 @@ class TransposedFont(object):
|
||||
self.orientation = orientation # any 'transpose' argument, or None
|
||||
|
||||
def getsize(self, text, *args, **kwargs):
|
||||
+ _string_length_check(text)
|
||||
w, h = self.font.getsize(text)
|
||||
if self.orientation in (Image.ROTATE_90, Image.ROTATE_270):
|
||||
return h, w
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,46 +0,0 @@
|
||||
From 5c3db10f7a9cafd9b2d145a40864a445b2ee6edc Mon Sep 17 00:00:00 2001
|
||||
From: Eric Soroos <eric-github@soroos.net>
|
||||
Date: Thu, 25 Jan 2024 13:23:56 +0100
|
||||
Subject: [PATCH] Don't allow __ or builtins in env dictionarys for
|
||||
ImageMath.eval
|
||||
|
||||
---
|
||||
Tests/test_imagemath.py | 5 +++++
|
||||
src/PIL/ImageMath.py | 5 +++++
|
||||
2 files changed, 10 insertions(+)
|
||||
|
||||
diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
|
||||
index d3b7ba3..2467078 100644
|
||||
--- a/Tests/test_imagemath.py
|
||||
+++ b/Tests/test_imagemath.py
|
||||
@@ -63,6 +63,11 @@ class TestImageMath(PillowTestCase):
|
||||
self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('pass'))()"))
|
||||
self.assertRaises(ValueError, ImageMath.eval("(lambda: (lambda: exec('pass'))())()"))
|
||||
|
||||
+ def test_prevent_double_underscores(self):
|
||||
+ self.assertRaises(ValueError, ImageMath.eval("1", {"__": None}))
|
||||
+
|
||||
+ def test_prevent_builtins(self):
|
||||
+ self.assertRaises(ValueError, ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}))
|
||||
|
||||
def test_logical(self):
|
||||
self.assertEqual(pixel(ImageMath.eval("not A", images)), 0)
|
||||
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
|
||||
index 13839e4..94108cf 100644
|
||||
--- a/src/PIL/ImageMath.py
|
||||
+++ b/src/PIL/ImageMath.py
|
||||
@@ -257,6 +257,11 @@ def eval(expression, _dict={}, **kw):
|
||||
|
||||
# build execution namespace
|
||||
args = ops.copy()
|
||||
+ for k in list(_dict.keys()) + list(kw.keys()):
|
||||
+ if "__" in k or hasattr(builtins, k):
|
||||
+ msg = f"'{k}' not allowed"
|
||||
+ raise ValueError(msg)
|
||||
+
|
||||
args.update(_dict)
|
||||
args.update(kw)
|
||||
for k, v in list(args.items()):
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,38 +0,0 @@
|
||||
From 2d30e67ec0b77993de62f975aae29266d8d1f784 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Thu, 4 Apr 2024 13:01:56 +0200
|
||||
Subject: [PATCH] CVE-2024-28219
|
||||
|
||||
---
|
||||
src/_imagingcms.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/_imagingcms.c b/src/_imagingcms.c
|
||||
index 5e4196c..4169e28 100644
|
||||
--- a/src/_imagingcms.c
|
||||
+++ b/src/_imagingcms.c
|
||||
@@ -212,8 +212,8 @@ cms_transform_new(cmsHTRANSFORM transform, char* mode_in, char* mode_out)
|
||||
|
||||
self->transform = transform;
|
||||
|
||||
- strcpy(self->mode_in, mode_in);
|
||||
- strcpy(self->mode_out, mode_out);
|
||||
+ strncpy(self->mode_in, mode_in, 8);
|
||||
+ strncpy(self->mode_out, mode_out, 8);
|
||||
|
||||
return (PyObject*) self;
|
||||
}
|
||||
@@ -286,8 +286,8 @@ findLCMStype(char* PILmode)
|
||||
}
|
||||
|
||||
else {
|
||||
- /* take a wild guess... but you probably should fail instead. */
|
||||
- return TYPE_GRAY_8; /* so there's no buffer overrun... */
|
||||
+ /* take a wild guess... */
|
||||
+ return TYPE_GRAY_8;
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,667 +0,0 @@
|
||||
%global py3_incdir %(python3 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_inc())')
|
||||
%global py3_libbuilddir %(python3 -c 'import sys; import sysconfig; print("lib.{p}-{v[0]}.{v[1]}".format(p=sysconfig.get_platform(), v=sys.version_info))')
|
||||
|
||||
%global srcname pillow
|
||||
# bootstrap building docs (pillow is required by docutils, docutils are
|
||||
# required by sphinx; pillow build-requires sphinx)
|
||||
%global with_docs 1
|
||||
|
||||
Name: python-%{srcname}
|
||||
Version: 5.1.1
|
||||
Release: 21%{?dist}
|
||||
Summary: Python image processing library
|
||||
|
||||
# License: see http://www.pythonware.com/products/pil/license.htm
|
||||
License: MIT
|
||||
URL: http://python-pillow.github.io/
|
||||
Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
|
||||
Patch0: 0001-Fix-potential-un-terminated-buffer-problem-CWE-120.patch
|
||||
Patch1: 0002-Fix-potential-leaked-storage-issues-CWE-772.patch
|
||||
Patch2: 0003-Fix-dereferencing-type-punned-pointer.patch
|
||||
# Combined fixes for CVE-2020-5312 improperly restricted operations on memory buffer in libImaging/PcxDecode.c
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1789533
|
||||
# https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd
|
||||
# and for CVE-2019-16865 reading specially crafted image files leads to allocation of large amounts of memory and denial of service
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1774066
|
||||
# https://github.com/python-pillow/Pillow/commit/cc16025e234b7a7a4dd3a86d2fdc0980698db9cc
|
||||
# https://github.com/python-pillow/Pillow/commit/b36c1bc943d554ba223086c7efb502d080f73905
|
||||
# https://github.com/python-pillow/Pillow/commit/f228d0ccbf6bf9392d7fcd51356ef2cfda80c75a
|
||||
# https://github.com/python-pillow/Pillow/commit/b9693a51c99c260bd66d1affeeab4a226cf7e5a5
|
||||
Patch3: CVE-2020-5312_CVE-2019-16865.patch
|
||||
# Fix for CVE-2020-5311 - out-of-bounds write in expandrow in libImaging/SgiRleDecode.c
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1789535
|
||||
# https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3
|
||||
Patch4: CVE-2020-5311.patch
|
||||
# CVE-2020-5313 out-of-bounds read in ImagingFliDecode when loading FLI images
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b?patch
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1789532
|
||||
Patch5: CVE-2020-5313.patch
|
||||
# CVE-2020-11538 out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/pull/4504/
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1852814
|
||||
Patch6: CVE-2020-11538.patch
|
||||
# CVE-2020-35653 decoding a crafted PCX file could result in buffer over-read
|
||||
# Note that there is a wrong CVE number in the commit msg
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1915432
|
||||
Patch7: CVE-2020-35653.patch
|
||||
# CVE-2020-35655 decoding crafted SGI RLE image files could result in buffer over-read
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/120eea2e4547a7d1826afdf01563035844f0b7d5
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-35653
|
||||
Patch8: CVE-2020-35655.patch
|
||||
# CVE-2021-25290 negative-offset memcpy with an invalid size in TiffDecode.c
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/86f02f7c70862a0954bfe8133736d352db978eaa
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1934685
|
||||
Patch9: CVE-2021-25290.patch
|
||||
# CVE-2021-25292 backtracking regex in PDF parser could be used as a DOS attack
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/3bce145966374dd39ce58a6fc0083f8d1890719c
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25292
|
||||
Patch10: CVE-2021-25292.patch
|
||||
# CVE-2021-25293 out-of-bounds read in SGIRleDecode.c
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/4853e522bddbec66022c0915b9a56255d0188bf9
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25293
|
||||
Patch11: CVE-2021-25293.patch
|
||||
# CVE-2021-27921 reported size of a contained image is not properly checked for a BLP container
|
||||
# CVE-2021-27922 reported size of a contained image is not properly checked for an ICNS container
|
||||
# CVE-2021-27923 reported size of a contained image is not properly checked for an ICO container
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/480f6819b592d7f07b9a9a52a7656c10bbe07442
|
||||
# Tracking bugs:
|
||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27921
|
||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27922
|
||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27923
|
||||
Patch12: CVE-2021-27921_27922_27923.patch
|
||||
# CVE-2021-25288 and 25287 out-of-bounds read in J2kDecode in j2ku_gray_i and j2ku_graya_la
|
||||
# Upstream fixes this patch combines:
|
||||
# - Original fix for the CVEs: https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
|
||||
# - Older commit the fix is based on: https://github.com/python-pillow/Pillow/commit/cf6da6b79080a8c16984102fdc85f7ce28dca613
|
||||
# Tracking bugs:
|
||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25287
|
||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25288
|
||||
Patch13: CVE-2021-25287_25288.patch
|
||||
# CVE-2021-28675 DoS in PsdImagePlugin
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/22e9bee4ef225c0edbb9323f94c26cee0c623497
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28675
|
||||
Patch14: CVE-2021-28675.patch
|
||||
# CVE-2021-28676 infinite loop in FliDecode.c can lead to DoS
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28676
|
||||
Patch15: CVE-2021-28676.patch
|
||||
# CVE-2021-28677 DoS in the open phase via a malicious EPS file
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28677
|
||||
Patch16: CVE-2021-28677.patch
|
||||
# CVE-2021-28678 improper check in BlpImagePlugin can lead to DoS
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/496245aa4365d0827390bd0b6fbd11287453b3a1
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-28678
|
||||
Patch17: CVE-2021-28678.patch
|
||||
# CVE-2021-34552: buffer overflow in Convert.c because it allow an attacker to pass
|
||||
# controlled parameters directly into a convert function
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/pull/5567
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1982378
|
||||
Patch18: CVE-2021-34552.patch
|
||||
# CVE-2022-22817: PIL.ImageMath.eval allows evaluation of arbitrary expressions
|
||||
# Upstream fixes:
|
||||
# https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11
|
||||
# https://github.com/python-pillow/Pillow/commit/f84ab3bb8a0a196a52e8a76bebed2853362629de
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2042527
|
||||
Patch19: CVE-2022-22817.patch
|
||||
# CVE-2022-22815 python-pillow: improperly initializes ImagePath.Path in path_getbbox() in path.c
|
||||
# CVE-2022-22816 python-pillow: buffer over-read during initialization of ImagePath.Path in path_getbbox() in path.c
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31f
|
||||
# Memory issue fix: https://github.com/python-pillow/Pillow/pull/5958
|
||||
# Tracking bugs:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2042511
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2042522
|
||||
Patch20: CVE-2022-22815_CVE-2022-22816.patch
|
||||
# CVE-2023-44271 python-pillow: uncontrolled resource consumption when textlength
|
||||
# in an ImageDraw instance operates on a long text argument
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
|
||||
Patch21: CVE-2023-44271.patch
|
||||
# CVE-2023-50447 python-pillow: pillow:Arbitrary Code Execution via the environment parameter
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/commit/02c6183d41c68a8dd080f5739f566bd82485822d
|
||||
# Patch rebased and tests converted from pytest to unittests.
|
||||
Patch22: CVE-2023-50447.patch
|
||||
# CVE-2024-28219 python-pillow: buffer overflow in _imagingcms.c
|
||||
# Upstream fix: https://github.com/python-pillow/Pillow/pull/7928
|
||||
# Patch rebased. The test requires a binary file and therefore isn't backported.
|
||||
Patch23: CVE-2024-28219.patch
|
||||
|
||||
BuildRequires: freetype-devel
|
||||
BuildRequires: gcc
|
||||
BuildRequires: ghostscript
|
||||
BuildRequires: lcms2-devel
|
||||
BuildRequires: libjpeg-devel
|
||||
BuildRequires: libtiff-devel
|
||||
BuildRequires: libwebp-devel
|
||||
BuildRequires: openjpeg2-devel
|
||||
BuildRequires: tk-devel
|
||||
BuildRequires: zlib-devel
|
||||
|
||||
BuildRequires: python3-cffi
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: python3-numpy
|
||||
BuildRequires: python3-setuptools
|
||||
%if 0%{?with_docs}
|
||||
BuildRequires: python3-sphinx
|
||||
BuildRequires: python3-sphinx_rtd_theme
|
||||
%endif # with_docs
|
||||
BuildRequires: python3-tkinter
|
||||
|
||||
# For EpsImagePlugin.py
|
||||
Requires: ghostscript
|
||||
|
||||
%global __provides_exclude_from ^%{python3_sitearch}/PIL/.*\\.so$
|
||||
|
||||
%description
|
||||
Python image processing library, fork of the Python Imaging Library (PIL)
|
||||
|
||||
This library provides extensive file format support, an efficient
|
||||
internal representation, and powerful image processing capabilities.
|
||||
|
||||
There are these subpackages: tk (tk interface),
|
||||
devel (development) and doc (documentation).
|
||||
|
||||
|
||||
%package -n python3-%{srcname}
|
||||
Summary: Python 3 image processing library
|
||||
%{?python_provide:%python_provide python3-%{srcname}}
|
||||
Provides: python3-imaging = %{version}-%{release}
|
||||
# For MicImagePlugin.py, FpxImagePlugin.py
|
||||
|
||||
%description -n python3-%{srcname}
|
||||
Python image processing library, fork of the Python Imaging Library (PIL)
|
||||
|
||||
This library provides extensive file format support, an efficient
|
||||
internal representation, and powerful image processing capabilities.
|
||||
|
||||
There are these subpackages: tk (tk interface),
|
||||
devel (development) and doc (documentation).
|
||||
|
||||
|
||||
%package -n python3-%{srcname}-devel
|
||||
Summary: Development files for %{srcname}
|
||||
Requires: python3-devel, libjpeg-devel, zlib-devel
|
||||
Requires: python3-%{srcname}%{?_isa} = %{version}-%{release}
|
||||
%{?python_provide:%python_provide python3-%{srcname}-devel}
|
||||
Provides: python3-imaging-devel = %{version}-%{release}
|
||||
|
||||
%description -n python3-%{srcname}-devel
|
||||
Development files for %{srcname}.
|
||||
|
||||
|
||||
%package -n python3-%{srcname}-doc
|
||||
Summary: Documentation for %{srcname}
|
||||
BuildArch: noarch
|
||||
Requires: python3-%{srcname} = %{version}-%{release}
|
||||
%{?python_provide:%python_provide python3-%{srcname}-doc}
|
||||
Provides: python3-imaging-doc = %{version}-%{release}
|
||||
|
||||
%description -n python3-%{srcname}-doc
|
||||
Documentation for %{srcname}.
|
||||
|
||||
|
||||
%package -n python3-%{srcname}-tk
|
||||
Summary: Tk interface for %{srcname}
|
||||
Requires: python3-tkinter
|
||||
Requires: python3-%{srcname}%{?_isa} = %{version}-%{release}
|
||||
%{?python_provide:%python_provide python3-%{srcname}-tk}
|
||||
Provides: python3-imaging-tk = %{version}-%{release}
|
||||
|
||||
%description -n python3-%{srcname}-tk
|
||||
Tk interface for %{name}.
|
||||
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n Pillow-%{version}
|
||||
|
||||
|
||||
%build
|
||||
%py3_build
|
||||
|
||||
%if 0%{?with_docs}
|
||||
PYTHONPATH=$PWD/build/%py3_libbuilddir make -C docs html BUILDDIR=_build_py3 SPHINXBUILD=sphinx-build-%python3_version
|
||||
rm -f docs/_build_py3/html/.buildinfo
|
||||
%endif # with_docs
|
||||
|
||||
|
||||
%install
|
||||
install -d %{buildroot}/%{py3_incdir}/Imaging
|
||||
install -m 644 src/libImaging/*.h %{buildroot}/%{py3_incdir}/Imaging
|
||||
%py3_install
|
||||
|
||||
|
||||
%check
|
||||
ln -s $PWD/Images $PWD/build/%py3_libbuilddir/Images
|
||||
cp -R $PWD/Tests $PWD/build/%py3_libbuilddir/Tests
|
||||
cp -R $PWD/selftest.py $PWD/build/%py3_libbuilddir/selftest.py
|
||||
pushd build/%py3_libbuilddir
|
||||
PYTHONPATH=$PWD %{__python3} selftest.py
|
||||
popd
|
||||
|
||||
|
||||
%files -n python3-%{srcname}
|
||||
%doc README.rst CHANGES.rst
|
||||
%license docs/COPYING
|
||||
%{python3_sitearch}/*
|
||||
# These are in subpackages
|
||||
%exclude %{python3_sitearch}/PIL/_imagingtk*
|
||||
%exclude %{python3_sitearch}/PIL/ImageTk*
|
||||
%exclude %{python3_sitearch}/PIL/SpiderImagePlugin*
|
||||
%exclude %{python3_sitearch}/PIL/ImageQt*
|
||||
%exclude %{python3_sitearch}/PIL/__pycache__/ImageTk*
|
||||
%exclude %{python3_sitearch}/PIL/__pycache__/SpiderImagePlugin*
|
||||
%exclude %{python3_sitearch}/PIL/__pycache__/ImageQt*
|
||||
|
||||
%files -n python3-%{srcname}-devel
|
||||
%{py3_incdir}/Imaging/
|
||||
|
||||
%files -n python3-%{srcname}-doc
|
||||
%if 0%{?with_docs}
|
||||
%doc docs/_build_py3/html
|
||||
%endif # with_docs
|
||||
|
||||
%files -n python3-%{srcname}-tk
|
||||
%{python3_sitearch}/PIL/_imagingtk*
|
||||
%{python3_sitearch}/PIL/ImageTk*
|
||||
%{python3_sitearch}/PIL/SpiderImagePlugin*
|
||||
%{python3_sitearch}/PIL/__pycache__/ImageTk*
|
||||
%{python3_sitearch}/PIL/__pycache__/SpiderImagePlugin*
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Apr 04 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-21
|
||||
- Security fix for CVE-2024-28219
|
||||
Resolves: RHEL-31071
|
||||
|
||||
* Thu Jan 25 2024 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-20
|
||||
- Security fix for CVE-2023-50447
|
||||
Resolves: RHEL-22240
|
||||
|
||||
* Fri Nov 10 2023 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-19
|
||||
- Security fix for CVE-2023-44271
|
||||
Resolves: RHEL-15460
|
||||
|
||||
* Fri Feb 11 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-18
|
||||
- Fixup for CVE-2022-22817
|
||||
- Security fixes for CVE-2022-22815, CVE-2022-22816
|
||||
Resolves: rhbz#2042511, rhbz#2042522
|
||||
|
||||
* Fri Feb 04 2022 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-17
|
||||
- Fix for CVE-2022-22817
|
||||
Resolves: rhbz#2042527
|
||||
|
||||
* Mon Aug 02 2021 Charalampos Stratakis <cstratak@redhat.com> - 5.1.1-16
|
||||
- Fix for CVE-2021-34552
|
||||
Resolves: rhbz#1982378
|
||||
|
||||
* Mon Jun 14 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-15
|
||||
- Fixes for CVE-2021-25288, CVE-2021-25287, CVE-2021-28675, CVE-2021-28676,
|
||||
CVE-2021-28677 and CVE-2021-28678
|
||||
Resolves: rhbz#1958231, rhbz#1958226, rhbz#1958240, rhbz#1958252, rhbz#1958257, rhbz#1958263
|
||||
|
||||
* Fri Apr 09 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-14
|
||||
- Fixes for CVE-2021-25290, CVE-2021-25292, CVE-2021-25293, CVE-2021-27921
|
||||
CVE-2021-27922, and CVE-2021-27923
|
||||
Resolves: rhbz#1934685 rhbz#1934699 rhbz#1934705 rhbz#1935384 rhbz#1935396 rhbz#1935401
|
||||
|
||||
* Thu Feb 18 2021 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-13
|
||||
- Fixes for CVE-2020-35653 and CVE-2020-35655
|
||||
Resolves: rhbz#1915420 rhbz#1915432
|
||||
|
||||
* Mon Jul 13 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-12
|
||||
- Fix for CVE-2020-11538
|
||||
Resolves: rhbz#1852814
|
||||
|
||||
* Wed Mar 04 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-11
|
||||
- Fix for CVE-2020-5313
|
||||
Resolves: rhbz#1789532
|
||||
|
||||
* Mon Feb 17 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-10
|
||||
- Bump and rebuild for gating to deliver CVE fixes
|
||||
Resolves: rhbz#1789535
|
||||
|
||||
* Mon Feb 17 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-9
|
||||
- Fix for CVE-2020-5311 - out-of-bounds write in expandrow
|
||||
Resolves: rhbz#1789535
|
||||
|
||||
* Fri Feb 14 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-8
|
||||
- Combined fixes for CVE-2020-5312 and CVE-2019-16865
|
||||
Resolves: rhbz#1789533
|
||||
Resolves: rhbz#1774066
|
||||
|
||||
* Tue Nov 27 2018 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-7
|
||||
- Add upstream patch to solve build-time warning
|
||||
- Move patches to dist-git
|
||||
- Resolves: rhbz#1639348
|
||||
|
||||
* Mon Oct 15 2018 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-6
|
||||
- Add patches to fix issues found by static code analysis
|
||||
- Resolves: rhbz#1602669
|
||||
|
||||
* Wed Jun 27 2018 Petr Viktorin <pviktori@redhat.com> - 5.1.1-5
|
||||
- Correct dependency on python3-tkinter
|
||||
|
||||
* Tue Jun 19 2018 Petr Viktorin <pviktori@redhat.com> - 5.1.1-4
|
||||
- Drop dependency on python3-olefile (breaking MicImagePlugin.py, FpxImagePlugin)
|
||||
|
||||
* Thu Jun 14 2018 Petr Viktorin <pviktori@redhat.com> - 5.1.1-3
|
||||
- Remove the Python 2 subpackage
|
||||
- Remove the libimagequant dependency
|
||||
The imagequant library was only used to support a non-default image
|
||||
quantization mode.
|
||||
|
||||
* Thu May 31 2018 Petr Viktorin <pviktori@redhat.com> - 5.1.1-2
|
||||
- Remove the python2 version of docs
|
||||
- Remove Qt subpackages
|
||||
- Drop dependency on python2-olefile (breaking MicImagePlugin.py, FpxImagePlugin)
|
||||
|
||||
* Wed Apr 25 2018 Sandro Mani <manisandro@gmail.com> - 5.1.1-1
|
||||
- Update to 5.1.1
|
||||
|
||||
* Thu Apr 05 2018 Sandro Mani <manisandro@gmail.com> - 5.1.0-1
|
||||
- Update to 5.1.0
|
||||
|
||||
* Wed Mar 07 2018 Sandro Mani <manisandro@gmail.com> - 5.0.0-3
|
||||
- Add missing BR: gcc
|
||||
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.0.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Wed Jan 03 2018 Sandro Mani <manisandro@gmail.com> - 5.0.0-1
|
||||
- Update to 5.0.0
|
||||
|
||||
* Tue Oct 03 2017 Sandro Mani <manisandro@gmail.com> - 4.3.0-1
|
||||
- Update to 4.3.0
|
||||
|
||||
* Tue Sep 05 2017 Troy Dawson <tdawson@redhat.com> - 4.2.1-5
|
||||
- Cleanup spec file conditionals
|
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.1-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Fri Jul 07 2017 Igor Gnatenko <ignatenko@redhat.com> - 4.2.1-2
|
||||
- Rebuild due to bug in RPM (RHBZ #1468476)
|
||||
|
||||
* Thu Jul 06 2017 Sandro Mani <manisandro@gmail.com> - 4.2.1-1
|
||||
- Update to 4.2.1
|
||||
|
||||
* Sat Jul 01 2017 Sandro Mani <manisandro@gmail.com> - 4.2.0-1
|
||||
- Update to 4.2.0
|
||||
|
||||
* Fri Apr 28 2017 Sandro Mani <manisandro@gmail.com> - 4.1.1-1
|
||||
- Update to 4.1.1
|
||||
|
||||
* Wed Apr 05 2017 Sandro Mani <manisandro@gmail.com> - 4.1.0-1
|
||||
- Update to 4.1.0
|
||||
|
||||
* Wed Feb 15 2017 Sandro Mani <manisandro@gmail.com> - 4.0.0-3
|
||||
- Fix some __pycache__ files in wrong subpackage (#1422606)
|
||||
|
||||
* Wed Feb 01 2017 Sandro Mani <manisandro@gmail.com> - 4.0.0-2
|
||||
- Rebuild (libwebp)
|
||||
|
||||
* Tue Jan 03 2017 Sandro Mani <manisandro@gmail.com> - 4.0.0-1
|
||||
- Update to 4.0.0
|
||||
|
||||
* Mon Dec 12 2016 Miro Hrončok <mhroncok@redhat.com> - 3.4.2-3
|
||||
- Enable docs build
|
||||
|
||||
* Mon Dec 12 2016 Miro Hrončok <mhroncok@redhat.com> - 3.4.2-2
|
||||
- Rebuild for Python 3.6
|
||||
|
||||
* Wed Oct 19 2016 Sandro Mani <manisandro@gmail.com> - 3.4.2-1
|
||||
- Update to 3.4.2
|
||||
|
||||
* Tue Oct 04 2016 Sandro Mani <manisandro@gmail.com> - 3.4.1-1
|
||||
- Update to 3.4.1
|
||||
|
||||
* Mon Oct 03 2016 Sandro Mani <manisandro@gmail.com> - 3.4.0-1
|
||||
- Update to 3.4.0
|
||||
|
||||
* Thu Aug 18 2016 Sandro Mani <manisandro@gmail.com> - 3.3.1-1
|
||||
- Update to 3.3.1
|
||||
|
||||
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.3.0-2
|
||||
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
|
||||
|
||||
* Sat Jul 02 2016 Sandro Mani <manisandro@gmail.com> - 3.3.0-1
|
||||
- Update to 3.3.0
|
||||
- Modernize spec
|
||||
|
||||
* Fri Apr 01 2016 Sandro Mani <manisandro@gmail.com> - 3.2.0-1
|
||||
- Update to 3.2.0
|
||||
|
||||
* Wed Feb 10 2016 Sandro Mani <manisandro@gmail.com> - 3.1.1-3
|
||||
- Fix broken python3-pillow package description
|
||||
|
||||
* Sun Feb 07 2016 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 3.1.1-2
|
||||
- Fix provides
|
||||
|
||||
* Thu Feb 04 2016 Sandro Mani <manisandro@gmail.com> - 3.1.1-1
|
||||
- Update to 3.1.1
|
||||
- Fixes CVE-2016-0740, CVE-2016-0775
|
||||
|
||||
* Mon Jan 11 2016 Toshio Kuratomi <toshio@fedoraproject.org> - 3.1.0-2
|
||||
- Fix executable files in doc package bringing in python 2 for the python3 doc
|
||||
packages
|
||||
|
||||
* Mon Jan 04 2016 Sandro Mani <manisandro@gmail.com> - 3.1.0-1
|
||||
- Update to 3.1.0
|
||||
|
||||
* Tue Dec 29 2015 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 3.0.0-5
|
||||
- Build with docs
|
||||
|
||||
* Mon Dec 28 2015 Igor Gnatenko <i.gnatenko.brain@gmail.com> - 3.0.0-4
|
||||
- Rebuilt for libwebp soname bump
|
||||
|
||||
* Wed Oct 14 2015 Robert Kuska <rkuska@redhat.com> - 3.0.0-3
|
||||
- Rebuilt for Python3.5 rebuild with docs
|
||||
|
||||
* Tue Oct 13 2015 Robert Kuska <rkuska@redhat.com> - 3.0.0-2
|
||||
- Rebuilt for Python3.5 rebuild without docs
|
||||
|
||||
* Fri Oct 02 2015 Sandro Mani <manisandro@gmail.com> - 3.0.0-1
|
||||
- Update to 3.0.0
|
||||
|
||||
* Wed Jul 29 2015 Sandro Mani <manisandro@gmail.com> - 2.9.0-2
|
||||
- Fix python3-pillow-tk Requires: tkinter -> python3-tkinter (#1248085)
|
||||
|
||||
* Thu Jul 02 2015 Sandro Mani <manisandro@gmail.com> - 2.9.0-1
|
||||
- Update to 2.9.0
|
||||
|
||||
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.8.2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Mon Jun 08 2015 Sandro Mani <manisandro@gmail.com> - 2.8.2-1
|
||||
- Update to 2.8.2
|
||||
|
||||
* Thu Apr 02 2015 Sandro Mani <manisandro@gmail.com> - 2.8.1-1
|
||||
- Update to 2.8.1
|
||||
|
||||
* Wed Apr 01 2015 Sandro Mani <manisandro@gmail.com> - 2.8.0-1
|
||||
- Update to 2.8.0
|
||||
|
||||
* Mon Jan 12 2015 Sandro Mani <manisandro@gmail.com> - 2.7.0-1
|
||||
- Update to 2.7.0
|
||||
- Drop sane subpackage, is in python-sane now
|
||||
- Fix python3 headers directory
|
||||
- Drop Obsoletes: python3-pillow on python3-pillow-qt
|
||||
|
||||
* Mon Oct 13 2014 Sandro Mani <manisandro@gmail.com> - 2.6.1-1
|
||||
- Update to 2.6.1
|
||||
|
||||
* Thu Oct 02 2014 Sandro Mani <manisandro@gmail.com> - 2.6.0-1
|
||||
- Update to 2.6.0
|
||||
|
||||
* Wed Aug 20 2014 Sandro Mani <manisandro@gmail.com> - 2.5.3-3
|
||||
- Rebuilding again to resolve transient build error that caused BZ#1131723
|
||||
|
||||
* Tue Aug 19 2014 Stephen Gallagher <sgallagh@redhat.com> - 2.5.3-2
|
||||
- Rebuilding to resolve transient build error that caused BZ#1131723
|
||||
|
||||
* Tue Aug 19 2014 Sandro Mani <manisandro@gmail.com> - 2.5.3-1
|
||||
- Update to 2.5.3 (Fix CVE-2014-3598, a DOS in the Jpeg2KImagePlugin)
|
||||
|
||||
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
* Wed Aug 13 2014 Sandro Mani <manisandro@gmail.com> - 2.5.2-1
|
||||
- Update to 2.5.2 (Fix CVE-2014-3589, a DOS in the IcnsImagePlugin)
|
||||
|
||||
* Sat Jul 26 2014 Sandro Mani <manisandro@gmail.com> - 2.5.1-2
|
||||
- Reenable jpeg2k tests on big endian arches
|
||||
|
||||
* Tue Jul 15 2014 Sandro Mani <manisandro@gmail.com> - 2.5.1-1
|
||||
- Update to 2.5.1
|
||||
|
||||
* Wed Jul 02 2014 Sandro Mani <manisandro@gmail.com> - 2.5.0-1
|
||||
- Update to 2.5.0
|
||||
|
||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.0-11
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Wed May 28 2014 Sandro Mani <manisandro@gmail.com> - 2.4.0-10
|
||||
- Rebuild with docs enabled
|
||||
- Update python-pillow_openjpeg-2.1.0.patch
|
||||
|
||||
* Tue May 27 2014 Sandro Mani <manisandro@gmail.com> - 2.4.0-9
|
||||
- Rebuild against openjpeg-2.1.0
|
||||
|
||||
* Fri May 23 2014 Dan Horák <dan[at]danny.cz> - 2.4.0-8
|
||||
- skip jpeg2k tests on big endian arches (#1100762)
|
||||
|
||||
* Wed May 21 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.0-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Changes/f21tcl86
|
||||
|
||||
* Tue May 13 2014 Bohuslav Kabrda <bkabrda@redhat.com> - 2.4.0-6
|
||||
- Set with_docs to 1 to build docs.
|
||||
|
||||
* Tue May 13 2014 Bohuslav Kabrda <bkabrda@redhat.com> - 2.4.0-5
|
||||
- Bootstrap building sphinx docs because of circular dependency with sphinx.
|
||||
|
||||
* Fri May 9 2014 Orion Poplawski <orion@cora.nwra.com> - 2.4.0-4
|
||||
- Rebuild for Python 3.4
|
||||
|
||||
* Tue Apr 22 2014 Sandro Mani <manisandro@gmail.com> - 2.4.0-3
|
||||
- Add patch: Have the tempfile use a suffix with a dot
|
||||
|
||||
* Thu Apr 17 2014 Sandro Mani <manisandro@gmail.com> - 2.4.0-2
|
||||
- Enable Jpeg2000 support
|
||||
- Enable webp support also on s390* archs, bug #962091 is now fixed
|
||||
- Add upstream patch for ghostscript detection
|
||||
|
||||
* Wed Apr 02 2014 Sandro Mani <manisandro@gmail.com> - 2.4.0-1
|
||||
- Update to 2.4.0
|
||||
|
||||
* Wed Mar 19 2014 Sandro Mani <manisandro@gmail.com> - 2.3.1-1
|
||||
- Update to 2.3.1 (Fix insecure use of tempfile.mktemp (CVE-2014-1932 CVE-2014-1933))
|
||||
|
||||
* Thu Mar 13 2014 Jakub Dorňák <jdornak@redhat.com> - 2.3.0-5
|
||||
- python-pillow does not provide python3-imaging
|
||||
(python3-pillow does)
|
||||
|
||||
* Tue Jan 07 2014 Sandro Mani <manisandro@gmail.com> - 2.3.0-4
|
||||
- Add missing ghostscript Requires and BuildRequires
|
||||
|
||||
* Mon Jan 06 2014 Sandro Mani <manisandro@gmail.com> - 2.3.0-3
|
||||
- Remove python-pillow_help-theme.patch, add python-sphinx-theme-better BR
|
||||
|
||||
* Sun Jan 05 2014 Sandro Mani <manisandro@gmail.com> - 2.3.0-2
|
||||
- Rebuild with docs enabled
|
||||
- Change lcms BR to lcms2
|
||||
|
||||
* Thu Jan 02 2014 Sandro Mani <manisandro@gmail.com> - 2.3.0-1
|
||||
- Update to 2.3.0
|
||||
- Build with doc disabled to break circular python-pillow -> python-sphinx -> python pillow dependency
|
||||
|
||||
* Wed Oct 23 2013 Sandro Mani <manisandro@gmail.com> - 2.2.1-2
|
||||
- Backport fix for decoding tiffs with correct byteorder, fixes rhbz#1019656
|
||||
|
||||
* Wed Oct 02 2013 Sandro Mani <manisandro@gmail.com> - 2.2.1-1
|
||||
- Update to 2.2.1
|
||||
- Really enable webp on ppc, but leave disabled on s390
|
||||
|
||||
* Thu Aug 29 2013 Sandro Mani <manisandro@gmail.com> - 2.1.0-4
|
||||
- Add patch to fix incorrect PyArg_ParseTuple tuple signature, fixes rhbz#962091 and rhbz#988767.
|
||||
- Renable webp support on bigendian arches
|
||||
|
||||
* Wed Aug 28 2013 Sandro Mani <manisandro@gmail.com> - 2.1.0-3
|
||||
- Add patch to fix memory corruption caused by invalid palette size, see rhbz#1001122
|
||||
|
||||
* Tue Jul 30 2013 Karsten Hopp <karsten@redhat.com> 2.1.0-2
|
||||
- Build without webp support on ppc* archs (#988767)
|
||||
|
||||
* Wed Jul 03 2013 Sandro Mani <manisandro@gmail.com> - 2.1.0-1
|
||||
- Update to 2.1.0
|
||||
- Run tests in builddir, not installroot
|
||||
- Build python3-pillow docs with python3
|
||||
- python-pillow_endian.patch upstreamed
|
||||
|
||||
* Mon May 13 2013 Roman Rakus <rrakus@redhat.com> - 2.0.0-10
|
||||
- Build without webp support on s390* archs
|
||||
Resolves: rhbz#962059
|
||||
|
||||
* Sat May 11 2013 Roman Rakus <rrakus@redhat.com> - 2.0.0-9.gitd1c6db8
|
||||
- Conditionaly disable build of python3 parts on RHEL system
|
||||
|
||||
* Wed May 08 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-8.gitd1c6db8
|
||||
- Add patch to fix test failure on big-endian
|
||||
|
||||
* Thu Apr 25 2013 Toshio Kuratomi <toshio@fedoraproject.org> - 2.0.0-7.gitd1c6db8
|
||||
- Remove Obsoletes in the python-pillow-qt subpackage. Obsoletes isn't
|
||||
appropriate since qt support didn't exist in the previous python-pillow
|
||||
package so there's no reason to drag in python-pillow-qt when updating
|
||||
python-pillow.
|
||||
|
||||
* Fri Apr 19 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-6.gitd1c6db8
|
||||
- Update to latest git
|
||||
- python-pillow_quantization.patch now upstream
|
||||
- python-pillow_endianness.patch now upstream
|
||||
- Add subpackage for ImageQt module, with correct dependencies
|
||||
- Add PyQt4 and numpy BR (for generating docs / running tests)
|
||||
|
||||
* Mon Apr 08 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-5.git93a488e
|
||||
- Reenable tests on bigendian, add patches for #928927
|
||||
|
||||
* Sun Apr 07 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-4.git93a488e
|
||||
- Update to latest git
|
||||
- disable tests on bigendian (PPC*, S390*) until rhbz#928927 is fixed
|
||||
|
||||
* Fri Mar 22 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-3.gitde210a2
|
||||
- python-pillow_tempfile.patch now upstream
|
||||
- Add python3-imaging provides (bug #924867)
|
||||
|
||||
* Fri Mar 22 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-2.git2e88848
|
||||
- Update to latest git
|
||||
- Remove python-pillow-disable-test.patch, gcc is now fixed
|
||||
- Add python-pillow_tempfile.patch to prevent a temporary file from getting packaged
|
||||
|
||||
* Tue Mar 19 2013 Sandro Mani <manisandro@gmail.com> - 2.0.0-1.git2f4207c
|
||||
- Update to 2.0.0 git snapshot
|
||||
- Enable python3 packages
|
||||
- Add libwebp-devel BR for Pillow 2.0.0
|
||||
|
||||
* Wed Mar 13 2013 Peter Robinson <pbrobinson@fedoraproject.org> 1.7.8-6.20130305git
|
||||
- Add ARM support
|
||||
|
||||
* Tue Mar 12 2013 Karsten Hopp <karsten@redhat.com> 1.7.8-5.20130305git
|
||||
- add s390* and ppc* to arch detection
|
||||
|
||||
* Tue Mar 05 2013 Sandro Mani <manisandro@gmail.com> - 1.7.8-4.20130305git7866759
|
||||
- Update to latest git snapshot
|
||||
- 0001-Cast-hash-table-values-to-unsigned-long.patch now upstream
|
||||
- Pillow-1.7.8-selftest.patch now upstream
|
||||
|
||||
* Mon Feb 25 2013 Sandro Mani <manisandro@gmail.com> - 1.7.8-3.20130210gite09ff61
|
||||
- Really remove -fno-strict-aliasing
|
||||
- Place comment on how to retreive source just above the Source0 line
|
||||
|
||||
* Mon Feb 18 2013 Sandro Mani <manisandro@gmail.com> - 1.7.8-2.20130210gite09ff61
|
||||
- Rebuild without -fno-strict-aliasing
|
||||
- Add patch for upstream issue #52
|
||||
|
||||
* Sun Feb 10 2013 Sandro Mani <manisandro@gmail.com> - 1.7.8-1.20130210gite09ff61
|
||||
- Initial RPM package
|
1
dead.package
Normal file
1
dead.package
Normal file
@ -0,0 +1 @@
|
||||
python-pillow package is retired on c9s for CS-569
|
Loading…
Reference in New Issue
Block a user