packages/python-pillow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix:CVE-2022-45199

Browse Source 
(cherry picked from commit 079e6a29ad5759ecb26c2fe282595ec143730c9f)
This commit is contained in:
qz_cx 2022-11-17 10:34:58 +08:00 committed by openeuler-sync-bot
parent 209b2b6ca3
commit 8ec3d992f5
3 changed files with 89 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
CVE-2022-45199.patch Normal file
View File

@ -0,0 +1,79 @@
From 9ae8f6b7aa8ea4638cb675267cd20c5425dcfafc Mon Sep 17 00:00:00 2001
From: qz_cx <wangqingzheng@kylinos.cn>
Date: Thu, 17 Nov 2022 10:28:59 +0800
Subject: [PATCH] Merge pull request #6700 from
hugovk/security-samples_per_pixel-sec
hugovk committed
Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
A large value in the SAMPLESPERPIXEL tag could lead to a memory and
runtime DOS in TiffImagePlugin.py when setting up the context for
image decoding.
---
Tests/test_file_tiff.py | 14 +++++++++++++-
src/PIL/TiffImagePlugin.py | 10 ++++++++++
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/Tests/test_file_tiff.py b/Tests/test_file_tiff.py
index 5801e17..57fabfa 100644
--- a/Tests/test_file_tiff.py
+++ b/Tests/test_file_tiff.py
@@ -3,7 +3,7 @@ from io import BytesIO
import pytest
-from PIL import Image, ImageFile, TiffImagePlugin
+from PIL import Image, ImageFile, TiffImagePlugin, UnidentifiedImageError
from PIL.TiffImagePlugin import RESOLUTION_UNIT, X_RESOLUTION, Y_RESOLUTION
from .helper import (
@@ -734,6 +734,18 @@ class TestFileTiff:
im.load()
ImageFile.LOAD_TRUNCATED_IMAGES = False
+ @pytest.mark.parametrize(
+ "test_file",
+ [
+ "Tests/images/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif",
+ ],
+ )
+ @pytest.mark.timeout(2)
+ def test_oom(self, test_file):
+ with pytest.raises(UnidentifiedImageError):
+ with pytest.warns(UserWarning):
+ with Image.open(test_file):
+ pass
@pytest.mark.skipif(not is_win32(), reason="Windows only")
class TestFileTiffW32:
diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
index 5df5c4f..f2afe63 100644
--- a/src/PIL/TiffImagePlugin.py
+++ b/src/PIL/TiffImagePlugin.py
@@ -252,6 +252,8 @@ OPEN_INFO = {
(MM, 8, (1,), 1, (8, 8, 8), ()): ("LAB", "LAB"),
}
+MAX_SAMPLESPERPIXEL = max(len(key_tp[4]) for key_tp in OPEN_INFO.keys())
+
PREFIXES = [
b"MM\x00\x2A", # Valid TIFF header with big-endian byte order
b"II\x2A\x00", # Valid TIFF header with little-endian byte order
@@ -1310,6 +1312,14 @@ class TiffImageFile(ImageFile.ImageFile):
SAMPLESPERPIXEL,
3 if self._compression == "tiff_jpeg" and photo in (2, 6) else 1,
)
+
+ if samplesPerPixel > MAX_SAMPLESPERPIXEL:
+ # DOS check, samplesPerPixel can be a Long, and we extend the tuple below
+ logger.error(
+ "More samples per pixel than can be decoded: %s", samplesPerPixel
+ )
+ raise SyntaxError("Invalid value for samples per pixel")
+
if len(bps_tuple) != samplesPerPixel:
raise SyntaxError("unknown data organization")
--
2.33.0

BIN
oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif Normal file
View File

Binary file not shown.

11
python-pillow.spec
View File

@ -5,16 +5,18 @@
Name: python-pillow Name: python-pillow
Version: 9.0.1 Version: 9.0.1
Release: 2 Release: 3
Summary: Python image processing library Summary: Python image processing library
License: MIT License: MIT
URL: http://python-pillow.github.io/ URL: http://python-pillow.github.io/
Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
Source1: oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
Patch0: python-pillow_spinxwarn.patch Patch0: python-pillow_spinxwarn.patch
Patch1: python-pillow_sphinx-issues.patch Patch1: python-pillow_sphinx-issues.patch
Patch6000: backport-Corrected-memory-allocation.patch Patch6000: backport-Corrected-memory-allocation.patch
Patch6001: CVE-2022-45199.patch
BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel
BuildRequires: libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile BuildRequires: libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
@ -94,6 +96,7 @@ Provides: python3-imaging-qt = %{version}-%{release}
Qt pillow image wrapper. Qt pillow image wrapper.
%prep %prep
%autosetup -p1 -n Pillow-%{version} %autosetup -p1 -n Pillow-%{version}
cp %{SOURCE1} Tests/images/
%build %build
@ -152,6 +155,12 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
%{python3_sitearch}/PIL/__pycache__/ImageQt* %{python3_sitearch}/PIL/__pycache__/ImageQt*
%changelog %changelog
* Thu Nov 17 2022 qz_cx <wangqingzheng@kylinos.cn> - 9.0.1-3
- Type:CVE
- ID:NA
- SUG:NA
- DESC: fix CVE-2022-45199
* Wed Apr 20 2022 dongyuzhen <dongyuzhen@h-partners.com> - 9.0.1-2 * Wed Apr 20 2022 dongyuzhen <dongyuzhen@h-partners.com> - 9.0.1-2
- correct memory allocation in alloc_array (this is the rear patch of CVE-2022-22815,CVE-2022-22816) - correct memory allocation in alloc_array (this is the rear patch of CVE-2022-22815,CVE-2022-22816)