Overview

File 011-Fix-buffer-overflow-in-SGI-RLE-decoding.patch of Package python-Pillow

From 394d6a180a4b63a149a223b13e98a3209f837147 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Sat, 28 Mar 2020 13:00:46 +0000
Subject: [PATCH 1/4] Track number of pixels, not the number of runs

---
 src/libImaging/SgiRleDecode.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index 1ba56b8c7b..3f9400a5bf 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf)
 static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
 {
     UINT8 pixel, count;
+    int x = 0;
 
     for (;n > 0; n--)
     {
@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
         count = pixel & RLE_MAX_RUN;
         if (!count)
             return count;
-        if (count > xsize) {
+        if (x + count > xsize) {
             return -1;
         }
+        x += count;
         if (pixel & RLE_COPY_FLAG) {
             while(count--) {
                 *dest = *src++;
@@ -63,6 +65,7 @@ static int expandrow2(UINT8* dest, const UINT16* src, int n, int z, int xsize)
 {
     UINT8 pixel, count;
 
+    int x = 0;
 
     for (;n > 0; n--)
     {
@@ -73,9 +76,10 @@ static int expandrow2(UINT8* dest, const UINT16* src, int n, int z, int xsize)
         count = pixel & RLE_MAX_RUN;
         if (!count)
             return count;
-        if (count > xsize) {
+        if (x + count > xsize) {
             return -1;
         }
+        x += count;
         if (pixel & RLE_COPY_FLAG) {
             while(count--) {
                 *dest = *src++;

From dd341f12d6d4c1fa3a596daa4fc2795939fbc805 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Sat, 28 Mar 2020 13:19:27 +0000
Subject: [PATCH 2/4] Tests for SGI Overruns

---
 Tests/test_sgi_crash.py                   |  15 +++++++++++++++
 3 files changed, 15 insertions(+)
 create mode 100644 Tests/test_sgi_crash.py

diff --git a/Tests/test_sgi_crash.py b/Tests/test_sgi_crash.py
new file mode 100644
index 0000000000..984234be4c
--- /dev/null
+++ b/Tests/test_sgi_crash.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+from .helper import PillowTestCase
+from PIL import Image
+
+repro = ('Tests/images/sgi_overrun_expandrowF04.bin',
+         'Tests/images/sgi_crash.bin',
+         )
+
+class TestSgiCrashes(PillowTestCase):
+    def test_crashes(self):
+        for path in repro:
+            with open(path, 'rb') as f:
+                im = Image.open(f)
+                with self.assertRaises(IOError):
+                    im.load()

From 78478dfcfb97378525151507a4ea7aae9484c01b Mon Sep 17 00:00:00 2001
From: Hugo <hugovk@users.noreply.github.com>
Date: Wed, 1 Apr 2020 10:13:12 +0300
Subject: [PATCH 3/4] Black and isort

---
 Tests/test_sgi_crash.py | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/Tests/test_sgi_crash.py b/Tests/test_sgi_crash.py
index 984234be4c..c8917df4d5 100644
--- a/Tests/test_sgi_crash.py
+++ b/Tests/test_sgi_crash.py
@@ -1,15 +1,18 @@
 #!/usr/bin/env python
-from .helper import PillowTestCase
 from PIL import Image
 
-repro = ('Tests/images/sgi_overrun_expandrowF04.bin',
-         'Tests/images/sgi_crash.bin',
-         )
+from .helper import PillowTestCase
+
+repro = (
+    "Tests/images/sgi_overrun_expandrowF04.bin",
+    "Tests/images/sgi_crash.bin",
+)
+
 
 class TestSgiCrashes(PillowTestCase):
     def test_crashes(self):
         for path in repro:
-            with open(path, 'rb') as f:
+            with open(path, "rb") as f:
                 im = Image.open(f)
                 with self.assertRaises(IOError):
                     im.load()

From 44096adf59938637a535766d586e00b1a35b7ff3 Mon Sep 17 00:00:00 2001
From: Hugo <hugovk@users.noreply.github.com>
Date: Wed, 1 Apr 2020 10:19:15 +0300
Subject: [PATCH 4/4] Convert from unittest to pytest

---
 Tests/test_sgi_crash.py | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/Tests/test_sgi_crash.py b/Tests/test_sgi_crash.py
index c8917df4d5..6f3fc6f5d1 100644
--- a/Tests/test_sgi_crash.py
+++ b/Tests/test_sgi_crash.py
@@ -1,18 +1,14 @@
 #!/usr/bin/env python
+import pytest
 from PIL import Image
 
-from .helper import PillowTestCase
 
-repro = (
-    "Tests/images/sgi_overrun_expandrowF04.bin",
-    "Tests/images/sgi_crash.bin",
+@pytest.mark.parametrize(
+    "test_file",
+    ["Tests/images/sgi_overrun_expandrowF04.bin", "Tests/images/sgi_crash.bin"],
 )
-
-
-class TestSgiCrashes(PillowTestCase):
-    def test_crashes(self):
-        for path in repro:
-            with open(path, "rb") as f:
-                im = Image.open(f)
-                with self.assertRaises(IOError):
-                    im.load()
+def test_crashes(test_file):
+    with open(test_file, "rb") as f:
+        im = Image.open(f)
+        with pytest.raises(IOError):
+            im.load()
openSUSE Build Service is sponsored by
Places