File CVE-2022-22815.patch of Package python-Pillow.35230
Index: Pillow-7.2.0/Tests/test_imagepath.py
===================================================================
--- Pillow-7.2.0.orig/Tests/test_imagepath.py
+++ Pillow-7.2.0/Tests/test_imagepath.py
@@ -75,6 +75,22 @@ class TestImagePath:
for i in range(200000):
x[i] = b"0" * 16
+ @pytest.mark.parametrize(
+ "coords, expected",
+ [
+ ([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)),
+ ([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)),
+ (0, (0.0, 0.0, 0.0, 0.0)),
+ (1, (0.0, 0.0, 0.0, 0.0)),
+ ],
+ )
+ def test_getbbox(self, coords, expected):
+ # Arrange
+ p = ImagePath.Path(coords)
+
+ # Act / Assert
+ assert p.getbbox() == expected
+
class evil:
def __init__(self):
Index: Pillow-7.2.0/src/path.c
===================================================================
--- Pillow-7.2.0.orig/src/path.c
+++ Pillow-7.2.0/src/path.c
@@ -60,7 +60,7 @@ alloc_array(Py_ssize_t count)
PyErr_NoMemory();
return NULL;
}
- xy = malloc(2 * count * sizeof(double) + 1);
+ xy = calloc(2 * count * sizeof(double) + 1, sizeof(double));
if (!xy) {
PyErr_NoMemory();
}
@@ -340,21 +340,25 @@ path_getbbox(PyPathObject* self, PyObjec
xy = self->xy;
- x0 = x1 = xy[0];
- y0 = y1 = xy[1];
-
- for (i = 1; i < self->count; i++) {
- if (xy[i+i] < x0) {
- x0 = xy[i+i];
- }
- if (xy[i+i] > x1) {
- x1 = xy[i+i];
- }
- if (xy[i+i+1] < y0) {
- y0 = xy[i+i+1];
- }
- if (xy[i+i+1] > y1) {
- y1 = xy[i+i+1];
+ if (self->count == 0) {
+ x0 = x1 = 0;
+ y0 = y1 = 0;
+ } else {
+ x0 = x1 = xy[0];
+ y0 = y1 = xy[1];
+ for (i = 1; i < self->count; i++) {
+ if (xy[i + i] < x0) {
+ x0 = xy[i + i];
+ }
+ if (xy[i + i] > x1) {
+ x1 = xy[i + i];
+ }
+ if (xy[i + i + 1] < y0) {
+ y0 = xy[i + i + 1];
+ }
+ if (xy[i + i + 1] > y1) {
+ y1 = xy[i + i + 1];
+ }
}
}
