packages/python-pillow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!30 fix CVE-2020-35655

Browse Source 
From: @jinzhimin369
Reviewed-by: @small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-02-24 20:03:33 +08:00 committed by Gitee
commit 2f20ae76ae
2 changed files with 107 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
backport-CVE-2020-35655.patch Normal file
View File

@ -0,0 +1,102 @@
diff -rupN --no-dereference Pillow-7.2.0/src/libImaging/SgiRleDecode.c Pillow-7.2.0-new/src/libImaging/SgiRleDecode.c
--- Pillow-7.2.0/src/libImaging/SgiRleDecode.c 2020-06-30 09:50:35.000000000 +0200
+++ Pillow-7.2.0-new/src/libImaging/SgiRleDecode.c 2021-01-15 19:51:18.176808192 +0100
@@ -112,14 +112,33 @@ ImagingSgiRleDecode(Imaging im, ImagingC
int err = 0;
int status;
+ /* size check */
+ if (im->xsize > INT_MAX / im->bands ||
+ im->ysize > INT_MAX / im->bands) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ return -1;
+ }
+
/* Get all data from File descriptor */
c = (SGISTATE*)state->context;
_imaging_seek_pyFd(state->fd, 0L, SEEK_END);
c->bufsize = _imaging_tell_pyFd(state->fd);
c->bufsize -= SGI_HEADER_SIZE;
+
+ c->tablen = im->bands * im->ysize;
+ /* below, we populate the starttab and lentab into the bufsize,
+ each with 4 bytes per element of tablen
+ Check here before we allocate any memory
+ */
+ if (c->bufsize < 8*c->tablen) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
+
ptr = malloc(sizeof(UINT8) * c->bufsize);
if (!ptr) {
- return IMAGING_CODEC_MEMORY;
+ state->errcode = IMAGING_CODEC_MEMORY;
+ return -1;
}
_imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
_imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
@@ -134,18 +153,11 @@ ImagingSgiRleDecode(Imaging im, ImagingC
state->ystep = 1;
}
- if (im->xsize > INT_MAX / im->bands ||
- im->ysize > INT_MAX / im->bands) {
- err = IMAGING_CODEC_MEMORY;
- goto sgi_finish_decode;
- }
-
/* Allocate memory for RLE tables and rows */
free(state->buffer);
state->buffer = NULL;
/* malloc overflow check above */
state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
- c->tablen = im->bands * im->ysize;
c->starttab = calloc(c->tablen, sizeof(UINT32));
c->lengthtab = calloc(c->tablen, sizeof(UINT32));
if (!state->buffer ||
@@ -176,7 +188,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC
if (c->rleoffset + c->rlelength > c->bufsize) {
state->errcode = IMAGING_CODEC_OVERRUN;
- return -1;
+ goto sgi_finish_decode;
}
/* row decompression */
@@ -188,7 +200,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC
}
if (status == -1) {
state->errcode = IMAGING_CODEC_OVERRUN;
- return -1;
+ goto sgi_finish_decode;
} else if (status == 1) {
goto sgi_finish_decode;
}
@@ -209,7 +221,8 @@ sgi_finish_decode: ;
free(c->lengthtab);
free(ptr);
if (err != 0){
- return err;
+ state->errcode=err;
+ return -1;
}
return state->count - c->bufsize;
}
diff -rupN --no-dereference Pillow-7.2.0/Tests/test_sgi_crash.py Pillow-7.2.0-new/Tests/test_sgi_crash.py
--- Pillow-7.2.0/Tests/test_sgi_crash.py 2020-06-30 09:50:35.000000000 +0200
+++ Pillow-7.2.0-new/Tests/test_sgi_crash.py 2021-01-15 19:51:18.176808192 +0100
@@ -5,7 +5,12 @@ from PIL import Image
@pytest.mark.parametrize(
"test_file",
- ["Tests/images/sgi_overrun_expandrowF04.bin", "Tests/images/sgi_crash.bin"],
+ [
+ "Tests/images/sgi_overrun_expandrowF04.bin",
+ "Tests/images/sgi_crash.bin",
+ "Tests/images/crash-6b7f2244da6d0ae297ee0754a424213444e92778.sgi",
+ "Tests/images/ossfuzz-5730089102868480.sgi",
+ ],
)
def test_crashes(test_file):
with open(test_file, "rb") as f:

6
python-pillow.spec
View File

@ -3,13 +3,14 @@
Name: python-pillow Name: python-pillow
Version: 7.2.0 Version: 7.2.0
Release: 2 Release: 3
Summary: Python image processing library Summary: Python image processing library
License: MIT License: MIT
URL: http://python-pillow.github.io/ URL: http://python-pillow.github.io/
Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
Patch0000: backport-CVE-2020-35653.patch Patch0000: backport-CVE-2020-35653.patch
Patch6000: backport-CVE-2020-35655.patch
BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel
BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel
@ -95,6 +96,9 @@ popd
%doc docs/_build_py3/html %doc docs/_build_py3/html
%changelog %changelog
* Tue Feb 23 2021 jinzhimin <jinzhimin2@huawei.com> - 7.2.0-3
- fix CVE-2020-35655
* Thu Jan 28 2021 renmingshuai <renmingshuai@huawei.com> - 7.2.0-2 * Thu Jan 28 2021 renmingshuai <renmingshuai@huawei.com> - 7.2.0-2
- fix CVE-2020-35653 - fix CVE-2020-35653