!3 fix CVE-2019-16865

Merge pull request !3 from hy/work

0000-CVE-2019-16865-1.patch

@@ -0,0 +1,62 @@
+From 5d4b5d152f3408352d600ba97980061ea054e8e9 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Sun, 29 Sep 2019 14:16:30 +1000
+Subject: [PATCH] Corrected negative seeks
+
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ src/PIL/PsdImagePlugin.py  |  6 ++++--
+ src/libImaging/RawDecode.c | 11 +++++++++--
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py
+index 2d64ecd..e82dda2 100644
+--- a/src/PIL/PsdImagePlugin.py
++++ b/src/PIL/PsdImagePlugin.py
+@@ -209,9 +209,11 @@ def _layerinfo(file):
+         # skip over blend flags and extra information
+         filler = read(12)
+         name = ""
+-        size = i32(read(4))
++        size = i32(read(4))  # length of the extra data field
+         combined = 0
+         if size:
++            data_end = file.tell() + size
++
+             length = i32(read(4))
+             if length:
+                 mask_y = i32(read(4))
+@@ -233,7 +235,7 @@ def _layerinfo(file):
+                 name = read(length).decode('latin-1', 'replace')
+             combined += length + 1
+ 
+-        file.seek(size - combined, 1)
++            file.seek(data_end)
+         layers.append((name, mode, (x0, y0, x1, y1)))
+ 
+     # get tiles
+diff --git a/src/libImaging/RawDecode.c b/src/libImaging/RawDecode.c
+index 40c0cb7..d4b7994 100644
+--- a/src/libImaging/RawDecode.c
++++ b/src/libImaging/RawDecode.c
+@@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 
+ 	/* get size of image data and padding */
+ 	state->bytes = (state->xsize * state->bits + 7) / 8;
+-	rawstate->skip = (rawstate->stride) ?
+-	    rawstate->stride - state->bytes : 0;
++	if (rawstate->stride) {
++	    rawstate->skip = rawstate->stride - state->bytes;
++	    if (rawstate->skip < 0) {
++	        state->errcode = IMAGING_CODEC_CONFIG;
++	        return -1;
++	    }
++	} else {
++	    rawstate->skip = 0;
++	}
+ 
+ 	/* check image orientation */
+ 	if (state->ystep < 0) {
+-- 
+2.19.1
+

0001-CVE-2019-16865-2.patch

@@ -0,0 +1,38 @@
+From 88d9a3994bc244f14d0f594755ac896a235017c5 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Sun, 29 Sep 2019 14:14:38 +1000
+Subject: [PATCH] Added decompression bomb checks
+
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ src/PIL/GifImagePlugin.py | 1 +
+ src/PIL/IcoImagePlugin.py | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py
+index 107c015..70eebf9 100644
+--- a/src/PIL/GifImagePlugin.py
++++ b/src/PIL/GifImagePlugin.py
+@@ -252,6 +252,7 @@ class GifImageFile(ImageFile.ImageFile):
+                 self.dispose = None
+             elif self.disposal_method == 2:
+                 # replace with background colour
++                Image._decompression_bomb_check(self.size)
+                 self.dispose = Image.core.fill("P", self.size,
+                                                self.info["background"])
+             else:
+diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
+index 589ef3c..926838d 100644
+--- a/src/PIL/IcoImagePlugin.py
++++ b/src/PIL/IcoImagePlugin.py
+@@ -167,6 +167,7 @@ class IcoFile(object):
+         else:
+             # XOR + AND mask bmp frame
+             im = BmpImagePlugin.DibImageFile(self.buf)
++            Image._decompression_bomb_check(im.size)
+ 
+             # change tile dimension to only encompass XOR image
+             im._size = (im.size[0], int(im.size[1] / 2))
+-- 
+2.19.1
+

0002-CVE-2019-16865-3.patch

@@ -0,0 +1,28 @@
+From ab569e61066e1ef4490db730ca13180afe18e461 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Sun, 29 Sep 2019 14:15:48 +1000
+Subject: [PATCH] Raise error if dimension is a string
+
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ src/PIL/TiffImagePlugin.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
+index 5059a13..05f58e5 100644
+--- a/src/PIL/TiffImagePlugin.py
++++ b/src/PIL/TiffImagePlugin.py
+@@ -1185,8 +1185,8 @@ class TiffImageFile(ImageFile.ImageFile):
+             print("- YCbCr subsampling:", self.tag.get(530))
+ 
+         # size
+-        xsize = self.tag_v2.get(IMAGEWIDTH)
+-        ysize = self.tag_v2.get(IMAGELENGTH)
++        xsize = int(self.tag_v2.get(IMAGEWIDTH))
++        ysize = int(self.tag_v2.get(IMAGELENGTH))
+         self._size = xsize, ysize
+ 
+         if DEBUG:
+-- 
+2.19.1
+

0003-CVE-2019-16865-4.patch

@@ -0,0 +1,89 @@
+From 1f90f191cef5f4d18cb229e3717d0b2010e9b434 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Mon, 30 Sep 2019 18:45:43 +1000
+Subject: [PATCH] Catch buffer overruns
+
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ src/libImaging/FliDecode.c    | 14 +++++++++++---
+ src/libImaging/PcxDecode.c    |  5 +++++
+ src/libImaging/SgiRleDecode.c |  5 +++++
+ 3 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
+index 6d22c6c..600528e 100644
+--- a/src/libImaging/FliDecode.c
++++ b/src/libImaging/FliDecode.c
+@@ -30,7 +30,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ {
+     UINT8* ptr;
+     int framesize;
+-    int c, chunks;
++    int c, chunks, advance;
+     int l, lines;
+     int i, j, x = 0, y, ymax;
+ 
+@@ -59,10 +59,16 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 
+     chunks = I16(ptr+6);
+     ptr += 16;
++    bytes -= 16;
+ 
+     /* Process subchunks */
+     for (c = 0; c < chunks; c++) {
+-	UINT8 *data = ptr + 6;
++	UINT8* data;
++	if (bytes < 10) {
++	    state->errcode = IMAGING_CODEC_OVERRUN;
++	    return -1;
++	}
++	data = ptr + 6;
+ 	switch (I16(ptr+4)) {
+ 	case 4: case 11:
+ 	    /* FLI COLOR chunk */
+@@ -198,7 +204,9 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	    state->errcode = IMAGING_CODEC_UNKNOWN;
+ 	    return -1;
+ 	}
+-	ptr += I32(ptr);
++	advance = I32(ptr);
++	ptr += advance;
++	bytes -= advance;
+     }
+ 
+     return -1; /* end of frame */
+diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
+index e5417f1..51de069 100644
+--- a/src/libImaging/PcxDecode.c
++++ b/src/libImaging/PcxDecode.c
+@@ -22,6 +22,11 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+     UINT8 n;
+     UINT8* ptr;
+ 
++    if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
++        state->errcode = IMAGING_CODEC_OVERRUN;
++        return -1;
++    }
++
+     ptr = buf;
+ 
+     for (;;) {
+diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
+index 9d8e563..39e7b3a 100644
+--- a/src/libImaging/SgiRleDecode.c
++++ b/src/libImaging/SgiRleDecode.c
+@@ -156,6 +156,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+             c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];
+             c->rleoffset -= SGI_HEADER_SIZE;
+ 
++            if (c->rleoffset + c->rlelength > c->bufsize) {
++                state->errcode = IMAGING_CODEC_OVERRUN;
++                return -1;
++            }
++
+             /* row decompression */
+             if (c->bpc ==1) {
+                 if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
+-- 
+2.19.1
+

python-pillow.spec

@@ -5,11 +5,17 @@
 
 Name:               python-pillow
 Version:            5.3.0
-Release:            3
+Release:            4
 Summary:            Python image processing library
 License:            MIT
 URL:                http://python-pillow.github.io/
 Source0:            https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
+
+Patch0000:          0000-CVE-2019-16865-1.patch
+Patch0001:          0001-CVE-2019-16865-2.patch
+Patch0002:          0002-CVE-2019-16865-3.patch
+Patch0003:          0003-CVE-2019-16865-4.patch
+
 BuildRequires:      freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel
 BuildRequires:      libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel
 BuildRequires:      python2-cffi python2-devel python2-numpy python2-olefile python2-setuptools
@@ -31,7 +37,7 @@ Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is sup
 Summary:            Python 2 image processing library
 %{?python_provide:%python_provide python2-pillow}
 Provides:           python-imaging = %{version}-%{release} python2-imaging = %{version}-%{release}
-Provides:	    python2-pillow-tk = %{version}-%{release} python2-pillow-qt = %{version}-%{release}
+Provides:           python2-pillow-tk = %{version}-%{release} python2-pillow-qt = %{version}-%{release}
 Provides:           python-imaging-tk = %{version}-%{release} python2-imaging-tk = %{version}-%{release}
 Provides:           python-imaging-qt = %{version}-%{release} python2-imaging-qt = %{version}-%{release}
 Requires:           python2-olefile python2-tkinter python2-PyQt4
@@ -162,5 +168,7 @@ popd
 %doc docs/_build_py3/html
 
 %changelog
-* Thu Dec 12 2019 Senlin Xia <xiasenlin1@huawei.com> - 5.3.0-2
+* Wed Mar 11 2020 hy <hu.huyan@huawei.com> - 5.3.0-4
+- fix CVE-2019-16865
+* Thu Dec 12 2019 Senlin Xia <xiasenlin1@huawei.com> - 5.3.0-3
 - Package init