packages/python-pillow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!43 fix CVE-2020-35654

Browse Source 
From: @shirely16
Reviewed-by: @small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-03-04 16:21:57 +08:00 committed by Gitee
commit f904e42e56
2 changed files with 342 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

335
backport-CVE-2020-35654.patch Normal file
View File

@ -0,0 +1,335 @@
From eb8c1206d6b170d4e798a00db7432e023853da5c Mon Sep 17 00:00:00 2001
From: wiredfool <eric-github@soroos.net>
Date: Sun, 1 Nov 2020 14:16:38 +0000
Subject: [PATCH] Fix CVE-2020-35654 - OOB Write in TiffDecode.c
* In some circumstances with some versions of libtiff (4.1.0+), there
could be a 4 byte out of bound write when decoding a YCbCr tiff.
* The Pillow code dates to 6.0.0
* Found and reported through Tidelift
reason:Fix CVE-2020-35654 - OOB Write in TiffDecode.c
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/commit/eb8c1206d6b170d4e798a00db7432e023853da5c
---
src/libImaging/TiffDecode.c | 266 ++++++++++++++++++----------
1 files changed, 168 insertions(+), 98 deletions(-)
diff -Naur a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
--- a/src/libImaging/TiffDecode.c 2021-03-04 14:28:42.632000000 +0800
+++ b/src/libImaging/TiffDecode.c 2021-03-04 14:47:03.790000000 +0800
@@ -227,54 +227,182 @@
return 0;
}
-int ReadStrip(TIFF* tiff, UINT32 row, UINT32* buffer) {
- uint16 photometric = 0; // init to not PHOTOMETRIC_YCBCR
- TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric);
-
+int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) {
// To avoid dealing with YCbCr subsampling, let libtiff handle it
- if (photometric == PHOTOMETRIC_YCBCR) {
- TIFFRGBAImage img;
- char emsg[1024] = "";
- UINT32 rows_per_strip, rows_to_read;
- int ok;
+ // Use a TIFFRGBAImage wrapping the tiff image, and let libtiff handle
+ // all of the conversion. Metadata read from the TIFFRGBAImage could
+ // be different from the metadata that the base tiff returns.
+
+ INT32 strip_row;
+ UINT8 *new_data;
+ UINT32 rows_per_strip, row_byte_size, rows_to_read;
+ int ret;
+ TIFFRGBAImage img;
+ char emsg[1024] = "";
+ int ok;
+
+ ret = TIFFGetFieldDefaulted(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip);
+ if (ret != 1) {
+ rows_per_strip = state->ysize;
+ }
+ TRACE(("RowsPerStrip: %u \n", rows_per_strip));
+ if (!(TIFFRGBAImageOK(tiff, emsg) && TIFFRGBAImageBegin(&img, tiff, 0, emsg))) {
+ TRACE(("Decode error, msg: %s", emsg));
+ state->errcode = IMAGING_CODEC_BROKEN;
+ TIFFClose(tiff);
+ return -1;
+ }
- TIFFGetFieldDefaulted(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip);
- if ((row % rows_per_strip) != 0) {
- TRACE(("Row passed to ReadStrip() must be first in a strip."));
- return -1;
- }
+ img.req_orientation = ORIENTATION_TOPLEFT;
+ img.col_offset = 0;
- if (TIFFRGBAImageOK(tiff, emsg) && TIFFRGBAImageBegin(&img, tiff, 0, emsg)) {
- TRACE(("Initialized RGBAImage\n"));
+ if (state->xsize != img.width || state->ysize != img.height) {
+ TRACE(("Inconsistent Image Error: %d =? %d, %d =? %d",
+ state->xsize, img.width, state->ysize, img.height));
+ state->errcode = IMAGING_CODEC_BROKEN;
+ TIFFRGBAImageEnd(&img);
+ TIFFClose(tiff);
+ return -1;
+ }
+
+ /* overflow check for row byte size */
+ if (INT_MAX / 4 < img.width) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFRGBAImageEnd(&img);
+ TIFFClose(tiff);
+ return -1;
+ }
+
+ // TiffRGBAImages are 32bits/pixel.
+ row_byte_size = img.width * 4;
+
+ /* overflow check for realloc */
+ if (INT_MAX / row_byte_size < rows_per_strip) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFRGBAImageEnd(&img);
+ TIFFClose(tiff);
+ return -1;
+ }
+
+ state->bytes = rows_per_strip * row_byte_size;
- img.req_orientation = ORIENTATION_TOPLEFT;
- img.row_offset = row;
- img.col_offset = 0;
+ TRACE(("StripSize: %d \n", state->bytes));
- rows_to_read = min(rows_per_strip, img.height - row);
+ /* realloc to fit whole strip */
+ /* malloc check above */
+ new_data = realloc (state->buffer, state->bytes);
+ if (!new_data) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFRGBAImageEnd(&img);
+ TIFFClose(tiff);
+ return -1;
+ }
- TRACE(("rows to read: %d\n", rows_to_read));
- ok = TIFFRGBAImageGet(&img, buffer, img.width, rows_to_read);
+ state->buffer = new_data;
+
+ for (; state->y < state->ysize; state->y += rows_per_strip) {
+ img.row_offset = state->y;
+ rows_to_read = min(rows_per_strip, img.height - state->y);
+
+ if (TIFFRGBAImageGet(&img, (UINT32 *)state->buffer, img.width, rows_to_read) == -1) {
+ TRACE(("Decode Error, y: %d\n", state->y ));
+ state->errcode = IMAGING_CODEC_BROKEN;
TIFFRGBAImageEnd(&img);
- } else {
- ok = 0;
+ TIFFClose(tiff);
+ return -1;
}
- if (ok == 0) {
- TRACE(("Decode Error, row %d; msg: %s\n", row, emsg));
- return -1;
+ TRACE(("Decoded strip for row %d \n", state->y));
+
+ // iterate over each row in the strip and stuff data into image
+ for (strip_row = 0; strip_row < min((INT32) rows_per_strip, state->ysize - state->y); strip_row++) {
+ TRACE(("Writing data into line %d ; \n", state->y + strip_row));
+
+ // UINT8 * bbb = state->buffer + strip_row * (state->bytes / rows_per_strip);
+ // TRACE(("chars: %x %x %x %x\n", ((UINT8 *)bbb)[0], ((UINT8 *)bbb)[1], ((UINT8 *)bbb)[2], ((UINT8 *)bbb)[3]));
+
+ state->shuffle((UINT8*) im->image[state->y + state->yoff + strip_row] +
+ state->xoff * im->pixelsize,
+ state->buffer + strip_row * row_byte_size,
+ state->xsize);
}
+ }
+ TIFFRGBAImageEnd(&img);
+ return 0;
+}
+
+int _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff) {
+ INT32 strip_row;
+ UINT8 *new_data;
+ UINT32 rows_per_strip, row_byte_size;
+ int ret;
+
+ ret = TIFFGetField(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip);
+ if (ret != 1) {
+ rows_per_strip = state->ysize;
+ }
+ TRACE(("RowsPerStrip: %u \n", rows_per_strip));
- return 0;
+ // We could use TIFFStripSize, but for YCbCr data it returns subsampled data size
+ row_byte_size = (state->xsize * state->bits + 7) / 8;
+
+ /* overflow check for realloc */
+ if (INT_MAX / row_byte_size < rows_per_strip) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFClose(tiff);
+ return -1;
+ }
+
+ state->bytes = rows_per_strip * row_byte_size;
+
+ TRACE(("StripSize: %d \n", state->bytes));
+
+ if (TIFFStripSize(tiff) > state->bytes) {
+ // If the strip size as expected by LibTiff isn't what we're expecting, abort.
+ // man: TIFFStripSize returns the equivalent size for a strip of data as it would be returned in a
+ // call to TIFFReadEncodedStrip ...
+
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFClose(tiff);
+ return -1;
}
- if (TIFFReadEncodedStrip(tiff, TIFFComputeStrip(tiff, row, 0), (tdata_t)buffer, -1) == -1) {
- TRACE(("Decode Error, strip %d\n", TIFFComputeStrip(tiff, row, 0)));
+ /* realloc to fit whole strip */
+ /* malloc check above */
+ new_data = realloc (state->buffer, state->bytes);
+ if (!new_data) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFClose(tiff);
return -1;
}
+ state->buffer = new_data;
+
+ for (; state->y < state->ysize; state->y += rows_per_strip) {
+ if (TIFFReadEncodedStrip(tiff, TIFFComputeStrip(tiff, state->y, 0), (tdata_t)state->buffer, -1) == -1) {
+ TRACE(("Decode Error, strip %d\n", TIFFComputeStrip(tiff, state->y, 0)));
+ state->errcode = IMAGING_CODEC_BROKEN;
+ TIFFClose(tiff);
+ return -1;
+ }
+
+ TRACE(("Decoded strip for row %d \n", state->y));
+
+ // iterate over each row in the strip and stuff data into image
+ for (strip_row = 0; strip_row < min((INT32) rows_per_strip, state->ysize - state->y); strip_row++) {
+ TRACE(("Writing data into line %d ; \n", state->y + strip_row));
+
+ // UINT8 * bbb = state->buffer + strip_row * (state->bytes / rows_per_strip);
+ // TRACE(("chars: %x %x %x %x\n", ((UINT8 *)bbb)[0], ((UINT8 *)bbb)[1], ((UINT8 *)bbb)[2], ((UINT8 *)bbb)[3]));
+
+ state->shuffle((UINT8*) im->image[state->y + state->yoff + strip_row] +
+ state->xoff * im->pixelsize,
+ state->buffer + strip_row * row_byte_size,
+ state->xsize);
+ }
+ }
return 0;
}
@@ -283,6 +411,9 @@
char *filename = "tempfile.tif";
char *mode = "r";
TIFF *tiff;
+ uint16 photometric = 0; // init to not PHOTOMETRIC_YCBCR
+ int isYCbCr = 0;
+ int ret;
/* buffer is the encoded file, bytes is the length of the encoded file */
/* it all ends up in state->buffer, which is a uint8* from Imaging.h */
@@ -343,6 +474,9 @@
}
}
+ TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric);
+ isYCbCr = photometric == PHOTOMETRIC_YCBCR;
+
if (TIFFIsTiled(tiff)) {
UINT32 x, y, tile_y, row_byte_size;
UINT32 tile_width, tile_length, current_tile_width;
@@ -411,75 +545,14 @@
}
}
} else {
- UINT32 strip_row, row_byte_size;
- UINT8 *new_data;
- UINT32 rows_per_strip;
- int ret;
-
- ret = TIFFGetField(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip);
- if (ret != 1) {
- rows_per_strip = state->ysize;
+ if (!isYCbCr) {
+ ret = _decodeStrip(im, state, tiff);
}
- TRACE(("RowsPerStrip: %u \n", rows_per_strip));
- // We could use TIFFStripSize, but for YCbCr data it returns subsampled data size
- row_byte_size = (state->xsize * state->bits + 7) / 8;
-
- /* overflow check for realloc */
- if (INT_MAX / row_byte_size < rows_per_strip) {
- state->errcode = IMAGING_CODEC_MEMORY;
- TIFFClose(tiff);
- return -1;
- }
-
- state->bytes = rows_per_strip * row_byte_size;
-
- TRACE(("StripSize: %d \n", state->bytes));
-
- if (TIFFStripSize(tiff) > state->bytes) {
- // If the strip size as expected by LibTiff isn't what we're expecting, abort.
- // man: TIFFStripSize returns the equivalent size for a strip of data as it would be returned in a
- // call to TIFFReadEncodedStrip ...
-
- state->errcode = IMAGING_CODEC_MEMORY;
- TIFFClose(tiff);
- return -1;
- }
-
- /* realloc to fit whole strip */
- /* malloc check above */
- new_data = realloc (state->buffer, state->bytes);
- if (!new_data) {
- state->errcode = IMAGING_CODEC_MEMORY;
- TIFFClose(tiff);
- return -1;
- }
-
- state->buffer = new_data;
-
- for (; state->y < state->ysize; state->y += rows_per_strip) {
- if (ReadStrip(tiff, state->y, (UINT32 *)state->buffer) == -1) {
- TRACE(("Decode Error, strip %d\n", TIFFComputeStrip(tiff, state->y, 0)));
- state->errcode = IMAGING_CODEC_BROKEN;
- TIFFClose(tiff);
- return -1;
- }
-
- TRACE(("Decoded strip for row %d \n", state->y));
-
- // iterate over each row in the strip and stuff data into image
- for (strip_row = 0; strip_row < min(rows_per_strip, state->ysize - state->y); strip_row++) {
- TRACE(("Writing data into line %d ; \n", state->y + strip_row));
-
- // UINT8 * bbb = state->buffer + strip_row * (state->bytes / rows_per_strip);
- // TRACE(("chars: %x %x %x %x\n", ((UINT8 *)bbb)[0], ((UINT8 *)bbb)[1], ((UINT8 *)bbb)[2], ((UINT8 *)bbb)[3]));
-
- state->shuffle((UINT8*) im->image[state->y + state->yoff + strip_row] +
- state->xoff * im->pixelsize,
- state->buffer + strip_row * row_byte_size,
- state->xsize);
- }
+ else {
+ ret = _decodeStripYCbCr(im, state, tiff);
}
+ if (ret == -1) { return ret; }
}
TIFFClose(tiff);

10
python-pillow.spec
View File

@ -3,14 +3,15 @@
Name: python-pillow
Version: 7.2.0
Release: 3
Release: 4
Summary: Python image processing library
License: MIT
URL: http://python-pillow.github.io/
Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
Patch0000: backport-CVE-2020-35653.patch
Patch6000: backport-CVE-2020-35655.patch
Patch6000: backport-CVE-2020-35653.patch
Patch6001: backport-CVE-2020-35654.patch
Patch6002: backport-CVE-2020-35655.patch
BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel
BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel
@ -96,6 +97,9 @@ popd
%doc docs/_build_py3/html
%changelog
* Thu Mar 4 2021 hanhui <hanhui15@huawei.com> - 7.2.0-4
- fix CVE-2020-35654
* Tue Feb 23 2021 jinzhimin <jinzhimin2@huawei.com> - 7.2.0-3
- fix CVE-2020-35655