File CVE-2020-35654.patch of Package python-Pillow.35230
Index: Pillow-7.2.0/src/libImaging/TiffDecode.c
===================================================================
--- Pillow-7.2.0.orig/src/libImaging/TiffDecode.c
+++ Pillow-7.2.0/src/libImaging/TiffDecode.c
@@ -227,54 +227,181 @@ int ReadTile(TIFF* tiff, UINT32 col, UIN
return 0;
}
-int ReadStrip(TIFF* tiff, UINT32 row, UINT32* buffer) {
- uint16 photometric = 0; // init to not PHOTOMETRIC_YCBCR
- TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric);
-
+int _decodeStripYCbCr(Imaging im, ImagingCodecState state, TIFF *tiff) {
// To avoid dealing with YCbCr subsampling, let libtiff handle it
- if (photometric == PHOTOMETRIC_YCBCR) {
- TIFFRGBAImage img;
- char emsg[1024] = "";
- UINT32 rows_per_strip, rows_to_read;
- int ok;
+ // Use a TIFFRGBAImage wrapping the tiff image, and let libtiff handle
+ // all of the conversion. Metadata read from the TIFFRGBAImage could
+ // be different from the metadata that the base tiff returns.
+
+ INT32 strip_row;
+ UINT8 *new_data;
+ UINT32 rows_per_strip, row_byte_size, rows_to_read;
+ int ret;
+ TIFFRGBAImage img;
+ char emsg[1024] = "";
+ int ok;
+
+ ret = TIFFGetFieldDefaulted(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip);
+ if (ret != 1) {
+ rows_per_strip = state->ysize;
+ }
+ TRACE(("RowsPerStrip: %u \n", rows_per_strip));
+
+ if (!(TIFFRGBAImageOK(tiff, emsg) && TIFFRGBAImageBegin(&img, tiff, 0, emsg))) {
+ TRACE(("Decode error, msg: %s", emsg));
+ state->errcode = IMAGING_CODEC_BROKEN;
+ TIFFClose(tiff);
+ return -1;
+ }
+ img.req_orientation = ORIENTATION_TOPLEFT;
+ img.col_offset = 0;
- TIFFGetFieldDefaulted(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip);
- if ((row % rows_per_strip) != 0) {
- TRACE(("Row passed to ReadStrip() must be first in a strip."));
- return -1;
- }
+ if (state->xsize != img.width || state->ysize != img.height) {
+ TRACE(("Inconsistent Image Error: %d =? %d, %d =? %d",
+ state->xsize, img.width, state->ysize, img.height));
+ state->errcode = IMAGING_CODEC_BROKEN;
+ TIFFRGBAImageEnd(&img);
+ TIFFClose(tiff);
+ return -1;
+ }
+
+ /* overflow check for row byte size */
+ if (INT_MAX / 4 < img.width) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFRGBAImageEnd(&img);
+ TIFFClose(tiff);
+ return -1;
+ }
+
+ // TiffRGBAImages are 32bits/pixel.
+ row_byte_size = img.width * 4;
+
+ /* overflow check for realloc */
+ if (INT_MAX / row_byte_size < rows_per_strip) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFRGBAImageEnd(&img);
+ TIFFClose(tiff);
+ return -1;
+ }
- if (TIFFRGBAImageOK(tiff, emsg) && TIFFRGBAImageBegin(&img, tiff, 0, emsg)) {
- TRACE(("Initialized RGBAImage\n"));
+ state->bytes = rows_per_strip * row_byte_size;
- img.req_orientation = ORIENTATION_TOPLEFT;
- img.row_offset = row;
- img.col_offset = 0;
+ TRACE(("StripSize: %d \n", state->bytes));
- rows_to_read = min(rows_per_strip, img.height - row);
+ /* realloc to fit whole strip */
+ /* malloc check above */
+ new_data = realloc (state->buffer, state->bytes);
+ if (!new_data) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFRGBAImageEnd(&img);
+ TIFFClose(tiff);
+ return -1;
+ }
- TRACE(("rows to read: %d\n", rows_to_read));
- ok = TIFFRGBAImageGet(&img, buffer, img.width, rows_to_read);
+ state->buffer = new_data;
+ for (; state->y < state->ysize; state->y += rows_per_strip) {
+ img.row_offset = state->y;
+ rows_to_read = min(rows_per_strip, img.height - state->y);
+
+ if (TIFFRGBAImageGet(&img, (UINT32 *)state->buffer, img.width, rows_to_read) == -1) {
+ TRACE(("Decode Error, y: %d\n", state->y ));
+ state->errcode = IMAGING_CODEC_BROKEN;
TIFFRGBAImageEnd(&img);
- } else {
- ok = 0;
+ TIFFClose(tiff);
+ return -1;
}
- if (ok == 0) {
- TRACE(("Decode Error, row %d; msg: %s\n", row, emsg));
- return -1;
+ TRACE(("Decoded strip for row %d \n", state->y));
+
+ // iterate over each row in the strip and stuff data into image
+ for (strip_row = 0; strip_row < min((INT32) rows_per_strip, state->ysize - state->y); strip_row++) {
+ TRACE(("Writing data into line %d ; \n", state->y + strip_row));
+
+ // UINT8 * bbb = state->buffer + strip_row * (state->bytes / rows_per_strip);
+ // TRACE(("chars: %x %x %x %x\n", ((UINT8 *)bbb)[0], ((UINT8 *)bbb)[1], ((UINT8 *)bbb)[2], ((UINT8 *)bbb)[3]));
+
+ state->shuffle((UINT8*) im->image[state->y + state->yoff + strip_row] +
+ state->xoff * im->pixelsize,
+ state->buffer + strip_row * row_byte_size,
+ state->xsize);
}
+ }
+ TIFFRGBAImageEnd(&img);
+ return 0;
+}
+
+int _decodeStrip(Imaging im, ImagingCodecState state, TIFF *tiff) {
+ INT32 strip_row;
+ UINT8 *new_data;
+ UINT32 rows_per_strip, row_byte_size;
+ int ret;
+
+ ret = TIFFGetField(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip);
+ if (ret != 1) {
+ rows_per_strip = state->ysize;
+ }
+ TRACE(("RowsPerStrip: %u \n", rows_per_strip));
+
+ // We could use TIFFStripSize, but for YCbCr data it returns subsampled data size
+ row_byte_size = (state->xsize * state->bits + 7) / 8;
+
+ /* overflow check for realloc */
+ if (INT_MAX / row_byte_size < rows_per_strip) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFClose(tiff);
+ return -1;
+ }
+
+ state->bytes = rows_per_strip * row_byte_size;
+
+ TRACE(("StripSize: %d \n", state->bytes));
+
+ if (TIFFStripSize(tiff) > state->bytes) {
+ // If the strip size as expected by LibTiff isn't what we're expecting, abort.
+ // man: TIFFStripSize returns the equivalent size for a strip of data as it would be returned in a
+ // call to TIFFReadEncodedStrip ...
- return 0;
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFClose(tiff);
+ return -1;
}
- if (TIFFReadEncodedStrip(tiff, TIFFComputeStrip(tiff, row, 0), (tdata_t)buffer, -1) == -1) {
- TRACE(("Decode Error, strip %d\n", TIFFComputeStrip(tiff, row, 0)));
+ /* realloc to fit whole strip */
+ /* malloc check above */
+ new_data = realloc (state->buffer, state->bytes);
+ if (!new_data) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ TIFFClose(tiff);
return -1;
}
+ state->buffer = new_data;
+
+ for (; state->y < state->ysize; state->y += rows_per_strip) {
+ if (TIFFReadEncodedStrip(tiff, TIFFComputeStrip(tiff, state->y, 0), (tdata_t)state->buffer, -1) == -1) {
+ TRACE(("Decode Error, strip %d\n", TIFFComputeStrip(tiff, state->y, 0)));
+ state->errcode = IMAGING_CODEC_BROKEN;
+ TIFFClose(tiff);
+ return -1;
+ }
+
+ TRACE(("Decoded strip for row %d \n", state->y));
+
+ // iterate over each row in the strip and stuff data into image
+ for (strip_row = 0; strip_row < min((INT32) rows_per_strip, state->ysize - state->y); strip_row++) {
+ TRACE(("Writing data into line %d ; \n", state->y + strip_row));
+
+ // UINT8 * bbb = state->buffer + strip_row * (state->bytes / rows_per_strip);
+ // TRACE(("chars: %x %x %x %x\n", ((UINT8 *)bbb)[0], ((UINT8 *)bbb)[1], ((UINT8 *)bbb)[2], ((UINT8 *)bbb)[3]));
+
+ state->shuffle((UINT8*) im->image[state->y + state->yoff + strip_row] +
+ state->xoff * im->pixelsize,
+ state->buffer + strip_row * row_byte_size,
+ state->xsize);
+ }
+ }
return 0;
}
@@ -283,6 +410,9 @@ int ImagingLibTiffDecode(Imaging im, Ima
char *filename = "tempfile.tif";
char *mode = "r";
TIFF *tiff;
+ uint16 photometric = 0; // init to not PHOTOMETRIC_YCBCR
+ int isYCbCr = 0;
+ int ret;
/* buffer is the encoded file, bytes is the length of the encoded file */
/* it all ends up in state->buffer, which is a uint8* from Imaging.h */
@@ -343,6 +473,10 @@ int ImagingLibTiffDecode(Imaging im, Ima
}
}
+
+ TIFFGetField(tiff, TIFFTAG_PHOTOMETRIC, &photometric);
+ isYCbCr = photometric == PHOTOMETRIC_YCBCR;
+
if (TIFFIsTiled(tiff)) {
UINT32 x, y, tile_y, row_byte_size;
UINT32 tile_width, tile_length, current_tile_width;
@@ -411,75 +545,13 @@ int ImagingLibTiffDecode(Imaging im, Ima
}
}
} else {
- UINT32 strip_row, row_byte_size;
- UINT8 *new_data;
- UINT32 rows_per_strip;
- int ret;
-
- ret = TIFFGetField(tiff, TIFFTAG_ROWSPERSTRIP, &rows_per_strip);
- if (ret != 1) {
- rows_per_strip = state->ysize;
- }
- TRACE(("RowsPerStrip: %u \n", rows_per_strip));
-
- // We could use TIFFStripSize, but for YCbCr data it returns subsampled data size
- row_byte_size = (state->xsize * state->bits + 7) / 8;
-
- /* overflow check for realloc */
- if (INT_MAX / row_byte_size < rows_per_strip) {
- state->errcode = IMAGING_CODEC_MEMORY;
- TIFFClose(tiff);
- return -1;
+ if (!isYCbCr) {
+ ret = _decodeStrip(im, state, tiff);
}
-
- state->bytes = rows_per_strip * row_byte_size;
-
- TRACE(("StripSize: %d \n", state->bytes));
-
- if (TIFFStripSize(tiff) > state->bytes) {
- // If the strip size as expected by LibTiff isn't what we're expecting, abort.
- // man: TIFFStripSize returns the equivalent size for a strip of data as it would be returned in a
- // call to TIFFReadEncodedStrip ...
-
- state->errcode = IMAGING_CODEC_MEMORY;
- TIFFClose(tiff);
- return -1;
- }
-
- /* realloc to fit whole strip */
- /* malloc check above */
- new_data = realloc (state->buffer, state->bytes);
- if (!new_data) {
- state->errcode = IMAGING_CODEC_MEMORY;
- TIFFClose(tiff);
- return -1;
- }
-
- state->buffer = new_data;
-
- for (; state->y < state->ysize; state->y += rows_per_strip) {
- if (ReadStrip(tiff, state->y, (UINT32 *)state->buffer) == -1) {
- TRACE(("Decode Error, strip %d\n", TIFFComputeStrip(tiff, state->y, 0)));
- state->errcode = IMAGING_CODEC_BROKEN;
- TIFFClose(tiff);
- return -1;
- }
-
- TRACE(("Decoded strip for row %d \n", state->y));
-
- // iterate over each row in the strip and stuff data into image
- for (strip_row = 0; strip_row < min(rows_per_strip, state->ysize - state->y); strip_row++) {
- TRACE(("Writing data into line %d ; \n", state->y + strip_row));
-
- // UINT8 * bbb = state->buffer + strip_row * (state->bytes / rows_per_strip);
- // TRACE(("chars: %x %x %x %x\n", ((UINT8 *)bbb)[0], ((UINT8 *)bbb)[1], ((UINT8 *)bbb)[2], ((UINT8 *)bbb)[3]));
-
- state->shuffle((UINT8*) im->image[state->y + state->yoff + strip_row] +
- state->xoff * im->pixelsize,
- state->buffer + strip_row * row_byte_size,
- state->xsize);
- }
+ else {
+ ret = _decodeStripYCbCr(im, state, tiff);
}
+ if (ret == -1) { return ret; }
}
TIFFClose(tiff);
Index: Pillow-7.2.0/Tests/test_tiff_crashes.py
===================================================================
--- /dev/null
+++ Pillow-7.2.0/Tests/test_tiff_crashes.py
@@ -0,0 +1,41 @@
+# Reproductions/tests for crashes/read errors in TiffDecode.c
+
+# When run in Python, all of these images should fail for
+# one reason or another, either as a buffer overrun,
+# unrecognized datastream, or truncated image file.
+# There shouldn't be any segfaults.
+#
+# if run like
+# `valgrind --tool=memcheck pytest test_tiff_crashes.py 2>&1 | grep TiffDecode.c`
+# the output should be empty. There may be Python issues
+# in the valgrind especially if run in a debug Python
+# version.
+
+import pytest
+
+from PIL import Image
+
+from .helper import on_ci
+
+
+@pytest.mark.parametrize(
+ "test_file",
+ [
+ "Tests/images/crash_1.tif",
+ "Tests/images/crash_2.tif",
+ "Tests/images/crash-2020-10-test.tif",
+ ],
+)
+@pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data")
+@pytest.mark.filterwarnings("ignore:Metadata warning")
+def test_tiff_crashes(test_file):
+ try:
+ with Image.open(test_file) as im:
+ im.load()
+ except FileNotFoundError:
+ if not on_ci():
+ pytest.skip("test image not found")
+ return
+ raise
+ except OSError:
+ pass
