Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
systemsmanagement:Ardana:9:CentOS:7.5
python-Pillow
015-Fix-for-SGI-Decode-buffer-overrun.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 015-Fix-for-SGI-Decode-buffer-overrun.patch of Package python-Pillow
From 7e95c63fa7f503f185d3d9eb16b9cee1e54d1e46 Mon Sep 17 00:00:00 2001 From: Eric Soroos <eric-github@soroos.net> Date: Thu, 29 Oct 2020 23:07:15 +0000 Subject: [PATCH 1/3] Fix for SGI Decode buffer overrun CVE-2020-35655 * Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz. --- ...7f2244da6d0ae297ee0754a424213444e92778.sgi | Bin 0 -> 6973 bytes Tests/images/ossfuzz-5730089102868480.sgi | Bin 0 -> 530 bytes Tests/test_sgi_crash.py | 8 +++++- src/libImaging/SgiRleDecode.c | 23 ++++++++++++------ 4 files changed, 23 insertions(+), 8 deletions(-) create mode 100644 Tests/images/crash-6b7f2244da6d0ae297ee0754a424213444e92778.sgi create mode 100644 Tests/images/ossfuzz-5730089102868480.sgi diff --git a/Tests/test_sgi_crash.py b/Tests/test_sgi_crash.py index 2b671244a8..6626f55f7c 100644 --- a/Tests/test_sgi_crash.py +++ b/Tests/test_sgi_crash.py @@ -5,7 +5,13 @@ @pytest.mark.parametrize( "test_file", - ["Tests/images/sgi_overrun_expandrowF04.bin", "Tests/images/sgi_crash.bin"], + [ + "Tests/images/sgi_overrun_expandrowF04.bin", + "Tests/images/sgi_crash.bin", + "Tests/images/crash-6b7f2244da6d0ae297ee0754a424213444e92778.sgi", + "Tests/images/ossfuzz-5730089102868480.sgi", + + ], ) def test_crashes(test_file): with open(test_file, "rb") as f: diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c index a03ecd456e..46a9179234 100644 --- a/src/libImaging/SgiRleDecode.c +++ b/src/libImaging/SgiRleDecode.c @@ -107,11 +107,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, int err = 0; int status; + /* size check */ + if (im->xsize > INT_MAX / im->bands || + im->ysize > INT_MAX / im->bands) { + return IMAGING_CODEC_MEMORY; + } + /* Get all data from File descriptor */ c = (SGISTATE*)state->context; _imaging_seek_pyFd(state->fd, 0L, SEEK_END); c->bufsize = _imaging_tell_pyFd(state->fd); c->bufsize -= SGI_HEADER_SIZE; + + c->tablen = im->bands * im->ysize; + /* below, we populate the starttab and lentab into the bufsize, + each with 4 bytes per element of tablen + Check here before we allocate any memory + */ + if (c->bufsize < 8*c->tablen) { + return IMAGING_CODEC_MEMORY; + } + ptr = malloc(sizeof(UINT8) * c->bufsize); if (!ptr) { return IMAGING_CODEC_MEMORY; @@ -129,18 +145,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, state->ystep = 1; } - if (im->xsize > INT_MAX / im->bands || - im->ysize > INT_MAX / im->bands) { - err = IMAGING_CODEC_MEMORY; - goto sgi_finish_decode; - } - /* Allocate memory for RLE tables and rows */ free(state->buffer); state->buffer = NULL; /* malloc overflow check above */ state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2); - c->tablen = im->bands * im->ysize; c->starttab = calloc(c->tablen, sizeof(UINT32)); c->lengthtab = calloc(c->tablen, sizeof(UINT32)); if (!state->buffer || From 9a2c9f722f78773e608d44710873437baf3f17d1 Mon Sep 17 00:00:00 2001 From: Eric Soroos <eric-github@soroos.net> Date: Fri, 30 Oct 2020 09:57:23 +0000 Subject: [PATCH 2/3] Make the SGI code return -1 as an error flag, error in state --- src/libImaging/SgiRleDecode.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c index 46a9179234..9a8814b50c 100644 --- a/src/libImaging/SgiRleDecode.c +++ b/src/libImaging/SgiRleDecode.c @@ -110,7 +110,8 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, /* size check */ if (im->xsize > INT_MAX / im->bands || im->ysize > INT_MAX / im->bands) { - return IMAGING_CODEC_MEMORY; + state->errcode = IMAGING_CODEC_MEMORY; + return -1; } /* Get all data from File descriptor */ @@ -125,12 +126,14 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, Check here before we allocate any memory */ if (c->bufsize < 8*c->tablen) { - return IMAGING_CODEC_MEMORY; + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; } ptr = malloc(sizeof(UINT8) * c->bufsize); if (!ptr) { - return IMAGING_CODEC_MEMORY; + state->errcode = IMAGING_CODEC_MEMORY; + return -1; } _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET); _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize); @@ -178,7 +181,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, if (c->rleoffset + c->rlelength > c->bufsize) { state->errcode = IMAGING_CODEC_OVERRUN; - return -1; + goto sgi_finish_decode; } /* row decompression */ @@ -190,7 +193,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, } if (status == -1) { state->errcode = IMAGING_CODEC_OVERRUN; - return -1; + goto sgi_finish_decode; } else if (status == 1) { goto sgi_finish_decode; } @@ -211,7 +214,8 @@ sgi_finish_decode: ; free(c->lengthtab); free(ptr); if (err != 0){ - return err; + state->errcode=err; + return -1; } return state->count - c->bufsize; } From 1cbb12fb6e44da0d6d6d58254d0d96930d04af5e Mon Sep 17 00:00:00 2001 From: Andrew Murray <radarhere@users.noreply.github.com> Date: Sat, 2 Jan 2021 20:19:26 +1100 Subject: [PATCH 3/3] Lint fix --- Tests/test_sgi_crash.py | 1 - 1 file changed, 1 deletion(-) diff --git a/Tests/test_sgi_crash.py b/Tests/test_sgi_crash.py index 6626f55f7c..ac304aab4d 100644 --- a/Tests/test_sgi_crash.py +++ b/Tests/test_sgi_crash.py @@ -10,7 +10,6 @@ "Tests/images/sgi_crash.bin", "Tests/images/crash-6b7f2244da6d0ae297ee0754a424213444e92778.sgi", "Tests/images/ossfuzz-5730089102868480.sgi", - ], ) def test_crashes(test_file):
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor