!30 fix CVE-2020-35655

From: @jinzhimin369 Reviewed-by: @small_leek Signed-off-by: @small_leek
2021-02-24 20:03:33 +08:00 · 2021-02-24 20:03:33 +08:00 · 2f20ae76ae
commit 2f20ae76ae
parent e0009f8f47 5f4213a4b5
2 changed files with 107 additions and 1 deletions
--- a/backport-CVE-2020-35655.patch
+++ b/backport-CVE-2020-35655.patch
@ -0,0 +1,102 @@
+diff -rupN --no-dereference Pillow-7.2.0/src/libImaging/SgiRleDecode.c Pillow-7.2.0-new/src/libImaging/SgiRleDecode.c
+--- Pillow-7.2.0/src/libImaging/SgiRleDecode.c	2020-06-30 09:50:35.000000000 +0200
+++ Pillow-7.2.0-new/src/libImaging/SgiRleDecode.c	2021-01-15 19:51:18.176808192 +0100
+@@ -112,14 +112,33 @@ ImagingSgiRleDecode(Imaging im, ImagingC
+     int err = 0;
+     int status;
+ 
+    /* size check */
+    if (im->xsize > INT_MAX / im->bands ||
+        im->ysize > INT_MAX / im->bands) {
+        state->errcode = IMAGING_CODEC_MEMORY;
+        return -1;
+    }
+
+     /* Get all data from File descriptor */
+     c = (SGISTATE*)state->context;
+     _imaging_seek_pyFd(state->fd, 0L, SEEK_END);
+     c->bufsize = _imaging_tell_pyFd(state->fd);
+     c->bufsize -= SGI_HEADER_SIZE;
+
+    c->tablen = im->bands * im->ysize;
+    /* below, we populate the starttab and lentab into the bufsize,
+       each with 4 bytes per element of tablen
+       Check here before we allocate any memory
+    */
+    if (c->bufsize < 8*c->tablen) {
+        state->errcode = IMAGING_CODEC_OVERRUN;
+        return -1;
+    }
+
+     ptr = malloc(sizeof(UINT8) * c->bufsize);
+     if (!ptr) {
+-        return IMAGING_CODEC_MEMORY;
+        state->errcode = IMAGING_CODEC_MEMORY;
+        return -1;
+     }
+     _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
+     _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
+@@ -134,18 +153,11 @@ ImagingSgiRleDecode(Imaging im, ImagingC
+         state->ystep = 1;
+     }
+ 
+-    if (im->xsize > INT_MAX / im->bands ||
+-        im->ysize > INT_MAX / im->bands) {
+-        err = IMAGING_CODEC_MEMORY;
+-        goto sgi_finish_decode;
+-    }
+-
+     /* Allocate memory for RLE tables and rows */
+     free(state->buffer);
+     state->buffer = NULL;
+     /* malloc overflow check above */
+     state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
+-    c->tablen = im->bands * im->ysize;
+     c->starttab = calloc(c->tablen, sizeof(UINT32));
+     c->lengthtab = calloc(c->tablen, sizeof(UINT32));
+     if (!state->buffer ||
+@@ -176,7 +188,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC
+ 
+             if (c->rleoffset + c->rlelength > c->bufsize) {
+                 state->errcode = IMAGING_CODEC_OVERRUN;
+-                return -1;
+                goto sgi_finish_decode;
+             }
+ 
+             /* row decompression */
+@@ -188,7 +200,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC
+             }
+             if (status == -1) {
+                 state->errcode = IMAGING_CODEC_OVERRUN;
+-                return -1;
+                goto sgi_finish_decode;
+             } else if (status == 1) {
+                 goto sgi_finish_decode;
+             }
+@@ -209,7 +221,8 @@ sgi_finish_decode: ;
+     free(c->lengthtab);
+     free(ptr);
+     if (err != 0){
+-        return err;
+        state->errcode=err;
+        return -1;
+     }
+     return state->count - c->bufsize;
+ }
+diff -rupN --no-dereference Pillow-7.2.0/Tests/test_sgi_crash.py Pillow-7.2.0-new/Tests/test_sgi_crash.py
+--- Pillow-7.2.0/Tests/test_sgi_crash.py	2020-06-30 09:50:35.000000000 +0200
+++ Pillow-7.2.0-new/Tests/test_sgi_crash.py	2021-01-15 19:51:18.176808192 +0100
+@@ -5,7 +5,12 @@ from PIL import Image
+ 
+ @pytest.mark.parametrize(
+     "test_file",
+-    ["Tests/images/sgi_overrun_expandrowF04.bin", "Tests/images/sgi_crash.bin"],
+    [
+        "Tests/images/sgi_overrun_expandrowF04.bin",
+        "Tests/images/sgi_crash.bin",
+        "Tests/images/crash-6b7f2244da6d0ae297ee0754a424213444e92778.sgi",
+        "Tests/images/ossfuzz-5730089102868480.sgi",
+    ],
+ )
+ def test_crashes(test_file):
+     with open(test_file, "rb") as f:
--- a/python-pillow.spec
+++ b/python-pillow.spec
@ -3,13 +3,14 @@

 Name:               python-pillow
 Version:            7.2.0
-Release:            2
+Release:            3
 Summary:            Python image processing library
 License:            MIT
 URL:                http://python-pillow.github.io/
 Source0:            https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz

 Patch0000:          backport-CVE-2020-35653.patch
+Patch6000:          backport-CVE-2020-35655.patch

 BuildRequires:      freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel
 BuildRequires:      libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel
@ -95,6 +96,9 @@ popd
 %doc docs/_build_py3/html

 %changelog
+* Tue Feb 23 2021 jinzhimin <jinzhimin2@huawei.com> - 7.2.0-3
+- fix CVE-2020-35655
+
 * Thu Jan 28 2021 renmingshuai <renmingshuai@huawei.com> - 7.2.0-2
 - fix CVE-2020-35653