Overview

File Pillow-overflows.patch of Package python-Pillow

Index: Pillow-2.9.0/Tests/check_libtiff_segfault.py
===================================================================
--- /dev/null
+++ Pillow-2.9.0/Tests/check_libtiff_segfault.py
@@ -0,0 +1,23 @@
+from helper import unittest, PillowTestCase
+from PIL import Image
+
+TEST_FILE = "Tests/images/libtiff_segfault.tif"
+
+class TestLibtiffSegfault(PillowTestCase):
+    def test_segfault(self):
+        """ This test should not segfault. It will on Pillow <= 3.1.0 and
+            libtiff >= 4.0.0
+            """
+
+        try:
+            im = Image.open(TEST_FILE)
+            im.load()
+        except IOError:
+            self.assertTrue(True, "Got expected IOError")
+        except Exception:
+            self.fail("Should have returned IOError")
+
+
+
+if __name__ == '__main__':
+    unittest.main()
Index: Pillow-2.9.0/libImaging/TiffDecode.c
===================================================================
--- Pillow-2.9.0.orig/libImaging/TiffDecode.c
+++ Pillow-2.9.0/libImaging/TiffDecode.c
@@ -169,7 +169,7 @@ int ImagingLibTiffDecode(Imaging im, Ima
 	char *filename = "tempfile.tif";
 	char *mode = "r";
 	TIFF *tiff;
-	int size;
+	tsize_t size;
 
 
 	/* buffer is the encoded file, bytes is the length of the encoded file */
Index: Pillow-2.9.0/Tests/check_fli_overflow.py
===================================================================
--- /dev/null
+++ Pillow-2.9.0/Tests/check_fli_overflow.py
@@ -0,0 +1,16 @@
+from helper import unittest, PillowTestCase
+from PIL import Image
+
+TEST_FILE = "Tests/images/fli_overflow.fli"
+
+
+class TestFliOverflow(PillowTestCase):
+    def test_fli_overflow(self):
+
+        # this should not crash with a malloc error or access violation
+        im = Image.open(TEST_FILE)
+        im.load()
+
+
+if __name__ == '__main__':
+    unittest.main()
Index: Pillow-2.9.0/libImaging/FliDecode.c
===================================================================
--- Pillow-2.9.0.orig/libImaging/FliDecode.c
+++ Pillow-2.9.0/libImaging/FliDecode.c
@@ -185,7 +185,7 @@ ImagingFliDecode(Imaging im, ImagingCode
 	    /* COPY chunk */
 	    for (y = 0; y < state->ysize; y++) {
 		UINT8* buf = (UINT8*) im->image[y];
-		memcpy(buf+x, data, state->xsize);
+		memcpy(buf, data, state->xsize);
 		data += state->xsize;
 	    }
 	    break;
Index: Pillow-2.9.0/Tests/test_file_pcd.py
===================================================================
--- /dev/null
+++ Pillow-2.9.0/Tests/test_file_pcd.py
@@ -0,0 +1,18 @@
+from helper import unittest, PillowTestCase, hopper
+from PIL import Image
+
+class TestFilePcd(PillowTestCase):
+
+    def test_load_raw(self):
+        im = Image.open('Tests/images/hopper.pcd')
+        im.load() # should not segfault.
+
+        # Note that this image was created with a resized hopper
+        # image, which was then converted to pcd with imagemagick
+        # and the colors are wonky in Pillow.  It's unclear if this
+        # is a pillow or a convert issue, as other images not generated
+        # from convert look find on pillow and not imagemagick.
+
+        #target = hopper().resize((768,512))
+        #self.assert_image_similar(im, target, 10)
+
Index: Pillow-2.9.0/libImaging/PcdDecode.c
===================================================================
--- Pillow-2.9.0.orig/libImaging/PcdDecode.c
+++ Pillow-2.9.0/libImaging/PcdDecode.c
@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCode
 	    out[0] = ptr[x];
 	    out[1] = ptr[(x+4*state->xsize)/2];
 	    out[2] = ptr[(x+5*state->xsize)/2];
-	    out += 4;
+	    out += 3;
 	}
 
 	state->shuffle((UINT8*) im->image[state->y],
@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCode
 	    out[0] = ptr[x+state->xsize];
 	    out[1] = ptr[(x+4*state->xsize)/2];
 	    out[2] = ptr[(x+5*state->xsize)/2];
-	    out += 4;
+	    out += 3;
 	}
 
 	state->shuffle((UINT8*) im->image[state->y],
Index: Pillow-2.9.0/libImaging/Resample.c
===================================================================
--- Pillow-2.9.0.orig/libImaging/Resample.c
+++ Pillow-2.9.0/libImaging/Resample.c
@@ -138,11 +138,23 @@ ImagingResampleHorizontal(Imaging imIn,
     /* maximum number of coofs */
     kmax = (int) ceil(support) * 2 + 1;
 
+    // check for overflow
+    if (kmax > 0 && xsize > SIZE_MAX / kmax)
+        return (Imaging) ImagingError_MemoryError();
+
+    // sizeof(float) should be greater than 0
+    if (xsize * kmax > SIZE_MAX / sizeof(float))
+        return (Imaging) ImagingError_MemoryError();
+
     /* coefficient buffer */
     kk = malloc(xsize * kmax * sizeof(float));
     if ( ! kk)
         return (Imaging) ImagingError_MemoryError();
 
+    // sizeof(int) should be greater than 0 as well
+    if (xsize > SIZE_MAX / (2 * sizeof(int)))
+        return (Imaging) ImagingError_MemoryError();
+
     xbounds = malloc(xsize * 2 * sizeof(int));
     if ( ! xbounds) {
         free(kk);
openSUSE Build Service is sponsored by
Places