fix:CVE-2022-45199
(cherry picked from commit 079e6a29ad5759ecb26c2fe282595ec143730c9f)
This commit is contained in:
qz_cx
openeuler-sync-bot
parent
209b2b6ca3
commit
8ec3d992f5
79
CVE-2022-45199.patch
Normal file
79
CVE-2022-45199.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From 9ae8f6b7aa8ea4638cb675267cd20c5425dcfafc Mon Sep 17 00:00:00 2001
|
||||
From: qz_cx <wangqingzheng@kylinos.cn>
|
||||
Date: Thu, 17 Nov 2022 10:28:59 +0800
|
||||
Subject: [PATCH] Merge pull request #6700 from
|
||||
hugovk/security-samples_per_pixel-sec
|
||||
|
||||
hugovk committed
|
||||
Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
|
||||
A large value in the SAMPLESPERPIXEL tag could lead to a memory and
|
||||
runtime DOS in TiffImagePlugin.py when setting up the context for
|
||||
image decoding.
|
||||
---
|
||||
Tests/test_file_tiff.py | 14 +++++++++++++-
|
||||
src/PIL/TiffImagePlugin.py | 10 ++++++++++
|
||||
2 files changed, 23 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Tests/test_file_tiff.py b/Tests/test_file_tiff.py
|
||||
index 5801e17..57fabfa 100644
|
||||
--- a/Tests/test_file_tiff.py
|
||||
+++ b/Tests/test_file_tiff.py
|
||||
@@ -3,7 +3,7 @@ from io import BytesIO
|
||||
|
||||
import pytest
|
||||
|
||||
-from PIL import Image, ImageFile, TiffImagePlugin
|
||||
+from PIL import Image, ImageFile, TiffImagePlugin, UnidentifiedImageError
|
||||
from PIL.TiffImagePlugin import RESOLUTION_UNIT, X_RESOLUTION, Y_RESOLUTION
|
||||
|
||||
from .helper import (
|
||||
@@ -734,6 +734,18 @@ class TestFileTiff:
|
||||
im.load()
|
||||
ImageFile.LOAD_TRUNCATED_IMAGES = False
|
||||
|
||||
+ @pytest.mark.parametrize(
|
||||
+ "test_file",
|
||||
+ [
|
||||
+ "Tests/images/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif",
|
||||
+ ],
|
||||
+ )
|
||||
+ @pytest.mark.timeout(2)
|
||||
+ def test_oom(self, test_file):
|
||||
+ with pytest.raises(UnidentifiedImageError):
|
||||
+ with pytest.warns(UserWarning):
|
||||
+ with Image.open(test_file):
|
||||
+ pass
|
||||
|
||||
@pytest.mark.skipif(not is_win32(), reason="Windows only")
|
||||
class TestFileTiffW32:
|
||||
diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
|
||||
index 5df5c4f..f2afe63 100644
|
||||
--- a/src/PIL/TiffImagePlugin.py
|
||||
+++ b/src/PIL/TiffImagePlugin.py
|
||||
@@ -252,6 +252,8 @@ OPEN_INFO = {
|
||||
(MM, 8, (1,), 1, (8, 8, 8), ()): ("LAB", "LAB"),
|
||||
}
|
||||
|
||||
+MAX_SAMPLESPERPIXEL = max(len(key_tp[4]) for key_tp in OPEN_INFO.keys())
|
||||
+
|
||||
PREFIXES = [
|
||||
b"MM\x00\x2A", # Valid TIFF header with big-endian byte order
|
||||
b"II\x2A\x00", # Valid TIFF header with little-endian byte order
|
||||
@@ -1310,6 +1312,14 @@ class TiffImageFile(ImageFile.ImageFile):
|
||||
SAMPLESPERPIXEL,
|
||||
3 if self._compression == "tiff_jpeg" and photo in (2, 6) else 1,
|
||||
)
|
||||
+
|
||||
+ if samplesPerPixel > MAX_SAMPLESPERPIXEL:
|
||||
+ # DOS check, samplesPerPixel can be a Long, and we extend the tuple below
|
||||
+ logger.error(
|
||||
+ "More samples per pixel than can be decoded: %s", samplesPerPixel
|
||||
+ )
|
||||
+ raise SyntaxError("Invalid value for samples per pixel")
|
||||
+
|
||||
if len(bps_tuple) != samplesPerPixel:
|
||||
raise SyntaxError("unknown data organization")
|
||||
|
||||
--
|
||||
2.33.0
|
||||
|
||||
BIN
oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
Normal file
BIN
oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
Normal file
Binary file not shown.
@ -5,16 +5,18 @@
|
||||
|
||||
Name: python-pillow
|
||||
Version: 9.0.1
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: Python image processing library
|
||||
License: MIT
|
||||
URL: http://python-pillow.github.io/
|
||||
Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
|
||||
Source1: oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
|
||||
|
||||
Patch0: python-pillow_spinxwarn.patch
|
||||
Patch1: python-pillow_sphinx-issues.patch
|
||||
|
||||
Patch6000: backport-Corrected-memory-allocation.patch
|
||||
Patch6001: CVE-2022-45199.patch
|
||||
|
||||
BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel
|
||||
BuildRequires: libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
|
||||
@ -94,6 +96,7 @@ Provides: python3-imaging-qt = %{version}-%{release}
|
||||
Qt pillow image wrapper.
|
||||
%prep
|
||||
%autosetup -p1 -n Pillow-%{version}
|
||||
cp %{SOURCE1} Tests/images/
|
||||
|
||||
%build
|
||||
|
||||
@ -152,6 +155,12 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
|
||||
%{python3_sitearch}/PIL/__pycache__/ImageQt*
|
||||
|
||||
%changelog
|
||||
* Thu Nov 17 2022 qz_cx <wangqingzheng@kylinos.cn> - 9.0.1-3
|
||||
- Type:CVE
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2022-45199
|
||||
|
||||
* Wed Apr 20 2022 dongyuzhen <dongyuzhen@h-partners.com> - 9.0.1-2
|
||||
- correct memory allocation in alloc_array (this is the rear patch of CVE-2022-22815,CVE-2022-22816)
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user