File 0003-Memory-error-in-Storage.patch of Package python-Pillow

From 5d8a0be45aad78c5a22c8d099118ee26ef8144af Mon Sep 17 00:00:00 2001
From: wiredfool <eric-github@soroos.net>
Date: Sun, 25 Sep 2016 10:44:22 +0100
Subject: [PATCH] Memory error in Storage.c when accepting negative image size
 arguments

---
 Tests/images/negative_size.ppm |  1 +
 Tests/test_file_ppm.py         | 12 ++++++++++++
 libImaging/Storage.c           |  4 ++++
 3 files changed, 17 insertions(+)
 create mode 100755 Tests/images/negative_size.ppm

diff --git a/Tests/images/negative_size.ppm b/Tests/images/negative_size.ppm
new file mode 100755
index 000000000..257b8c29c
--- /dev/null
+++ b/Tests/images/negative_size.ppm
@@ -0,0 +1 @@
+P632 358888888632!
diff --git a/Tests/test_file_ppm.py b/Tests/test_file_ppm.py
index 3adc7a6d1..9284d422a 100644
--- a/Tests/test_file_ppm.py
+++ b/Tests/test_file_ppm.py
@@ -36,6 +36,18 @@
         self.assert_image_equal(im, reloaded)
 
 
+    def test_neg_ppm(self):
+        """test_neg_ppm
+
+        Storage.c accepted negative values for xsize, ysize.
+        open_ppm is a core debugging item that doesn't check any parameters for
+        sanity. 
+        """
+        
+        with self.assertRaises(ValueError):
+            Image.core.open_ppm('Tests/images/negative_size.ppm')
+
+
 if __name__ == '__main__':
     unittest.main()
 
diff --git a/libImaging/Storage.c b/libImaging/Storage.c
index f40840671..27661bfdb 100644
--- a/libImaging/Storage.c
+++ b/libImaging/Storage.c
@@ -386,7 +386,11 @@
     } else
         bytes = strlen(mode); /* close enough */
 
-    if ((int64_t) xsize * (int64_t) ysize * bytes <= THRESHOLD) {
+    if (xsize < 0 || ysize < 0) {
+        return (Imaging) ImagingError_ValueError("bad image size");
+    }
+
+    if ((int64_t) xsize * (int64_t) ysize <= THRESHOLD / bytes) {
         im = ImagingNewBlock(mode, xsize, ysize);
         if (im)
             return im;