!118 [sync] PR-115: fix:CVE-2022-45199

From: @openeuler-sync-bot Reviewed-by: @myeuler Signed-off-by: @myeuler
2022-11-22 14:28:11 +00:00 · 2022-11-22 14:28:11 +00:00 · 58d504085b
commit 58d504085b
parent 209b2b6ca3 8ec3d992f5
3 changed files with 89 additions and 1 deletions
--- a/CVE-2022-45199.patch
+++ b/CVE-2022-45199.patch
@ -0,0 +1,79 @@
+From 9ae8f6b7aa8ea4638cb675267cd20c5425dcfafc Mon Sep 17 00:00:00 2001
+From: qz_cx <wangqingzheng@kylinos.cn>
+Date: Thu, 17 Nov 2022 10:28:59 +0800
+Subject: [PATCH] Merge pull request #6700 from
+ hugovk/security-samples_per_pixel-sec
+
+hugovk committed
+Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
+A large value in the SAMPLESPERPIXEL tag could lead to a memory and
+runtime DOS in TiffImagePlugin.py when setting up the context for
+image decoding.
+---
+ Tests/test_file_tiff.py    | 14 +++++++++++++-
+ src/PIL/TiffImagePlugin.py | 10 ++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/Tests/test_file_tiff.py b/Tests/test_file_tiff.py
+index 5801e17..57fabfa 100644
+--- a/Tests/test_file_tiff.py
+++ b/Tests/test_file_tiff.py
+@@ -3,7 +3,7 @@ from io import BytesIO
+ 
+ import pytest
+ 
+-from PIL import Image, ImageFile, TiffImagePlugin
+from PIL import Image, ImageFile, TiffImagePlugin, UnidentifiedImageError
+ from PIL.TiffImagePlugin import RESOLUTION_UNIT, X_RESOLUTION, Y_RESOLUTION
+ 
+ from .helper import (
+@@ -734,6 +734,18 @@ class TestFileTiff:
+             im.load()
+             ImageFile.LOAD_TRUNCATED_IMAGES = False
+ 
+    @pytest.mark.parametrize(
+        "test_file",
+        [
+            "Tests/images/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif",
+        ],
+    )
+    @pytest.mark.timeout(2)
+    def test_oom(self, test_file):
+        with pytest.raises(UnidentifiedImageError):
+            with pytest.warns(UserWarning):
+                with Image.open(test_file):
+                    pass
+ 
+ @pytest.mark.skipif(not is_win32(), reason="Windows only")
+ class TestFileTiffW32:
+diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
+index 5df5c4f..f2afe63 100644
+--- a/src/PIL/TiffImagePlugin.py
+++ b/src/PIL/TiffImagePlugin.py
+@@ -252,6 +252,8 @@ OPEN_INFO = {
+     (MM, 8, (1,), 1, (8, 8, 8), ()): ("LAB", "LAB"),
+ }
+ 
+MAX_SAMPLESPERPIXEL = max(len(key_tp[4]) for key_tp in OPEN_INFO.keys())
+
+ PREFIXES = [
+     b"MM\x00\x2A",  # Valid TIFF header with big-endian byte order
+     b"II\x2A\x00",  # Valid TIFF header with little-endian byte order
+@@ -1310,6 +1312,14 @@ class TiffImageFile(ImageFile.ImageFile):
+             SAMPLESPERPIXEL,
+             3 if self._compression == "tiff_jpeg" and photo in (2, 6) else 1,
+         )
+
+        if samplesPerPixel > MAX_SAMPLESPERPIXEL:
+            # DOS check, samplesPerPixel can be a Long, and we extend the tuple below
+            logger.error(
+                "More samples per pixel than can be decoded: %s", samplesPerPixel
+            )
+            raise SyntaxError("Invalid value for samples per pixel")
+
+         if len(bps_tuple) != samplesPerPixel:
+             raise SyntaxError("unknown data organization")
+ 
+-- 
+2.33.0
+
--- a/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
+++ b/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
--- a/python-pillow.spec
+++ b/python-pillow.spec
@ -5,16 +5,18 @@
 
 Name:           python-pillow
 Version:        9.0.1
-Release:        2
+Release:        3
 Summary:        Python image processing library 
 License:        MIT
 URL:            http://python-pillow.github.io/
 Source0:        https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
+Source1:        oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif

 Patch0:         python-pillow_spinxwarn.patch
 Patch1:         python-pillow_sphinx-issues.patch

 Patch6000:      backport-Corrected-memory-allocation.patch
+Patch6001:      CVE-2022-45199.patch

 BuildRequires:  freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel
 BuildRequires:  libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
@ -94,6 +96,7 @@ Provides:       python3-imaging-qt = %{version}-%{release}
 Qt pillow image wrapper.
 %prep
 %autosetup -p1 -n Pillow-%{version} 
+cp %{SOURCE1} Tests/images/
 
 %build

@ -152,6 +155,12 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
 %{python3_sitearch}/PIL/__pycache__/ImageQt*

 %changelog
+* Thu Nov 17 2022 qz_cx <wangqingzheng@kylinos.cn> - 9.0.1-3
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC: fix CVE-2022-45199
+
 * Wed Apr 20 2022 dongyuzhen <dongyuzhen@h-partners.com> - 9.0.1-2
 - correct memory allocation in alloc_array (this is the rear patch of CVE-2022-22815,CVE-2022-22816)