rpms / python-pillow

Clone
Source Code
GIT

Blame SOURCES/CVE-2020-35655.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-beta c7-ppc64le c8 c8-beta c8s c9s-sig-cloud-openstack-bobcat c9s-sig-cloud-openstack-caracal c9s-sig-cloud-openstack-xena c9s-sig-cloud-openstack-zed
  1.   cd6656dee16084d89969eb5795af4c8319b6124d
  2.   SOURCES
  3.   CVE-2020-35655.patch
Blob History Raw
7f73fb 
From f276de1139ec16395dc8b382860fb58e331fbd53 Mon Sep 17 00:00:00 2001
7f73fb 
From: Eric Soroos <eric-github@soroos.net>
7f73fb 
Date: Thu, 29 Oct 2020 23:07:15 +0000
7f73fb 
Subject: [PATCH 1/2] Fix for SGI Decode buffer overrun CVE-2020-35655
7f73fb
7f73fb 
* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz.
7f73fb 
---
7f73fb 
 src/libImaging/SgiRleDecode.c | 23 ++++++++++++++++-------
7f73fb 
 1 file changed, 16 insertions(+), 7 deletions(-)
7f73fb
7f73fb 
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
7f73fb 
index eb8fc84..c256169 100644
7f73fb 
--- a/src/libImaging/SgiRleDecode.c
7f73fb 
+++ b/src/libImaging/SgiRleDecode.c
7f73fb 
@@ -107,11 +107,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
7f73fb 
     int err = 0;
7f73fb 
     int status;
7f73fb
7f73fb 
+    /* size check */
7f73fb 
+    if (im->xsize > INT_MAX / im->bands ||
7f73fb 
+        im->ysize > INT_MAX / im->bands) {
7f73fb 
+        return IMAGING_CODEC_MEMORY;
7f73fb 
+    }
7f73fb 
+
7f73fb 
     /* Get all data from File descriptor */
7f73fb 
     c = (SGISTATE*)state->context;
7f73fb 
     _imaging_seek_pyFd(state->fd, 0L, SEEK_END);
7f73fb 
     c->bufsize = _imaging_tell_pyFd(state->fd);
7f73fb 
     c->bufsize -= SGI_HEADER_SIZE;
7f73fb 
+
7f73fb 
+    c->tablen = im->bands * im->ysize;
7f73fb 
+    /* below, we populate the starttab and lentab into the bufsize,
7f73fb 
+       each with 4 bytes per element of tablen
7f73fb 
+       Check here before we allocate any memory
7f73fb 
+    */
7f73fb 
+    if (c->bufsize < 8*c->tablen) {
7f73fb 
+        return IMAGING_CODEC_MEMORY;
7f73fb 
+    }
7f73fb 
+
7f73fb 
     ptr = malloc(sizeof(UINT8) * c->bufsize);
7f73fb 
     if (!ptr) {
7f73fb 
         return IMAGING_CODEC_MEMORY;
7f73fb 
@@ -129,18 +145,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
7f73fb 
         state->ystep = 1;
7f73fb 
     }
7f73fb
7f73fb 
-    if (im->xsize > INT_MAX / im->bands ||
7f73fb 
-        im->ysize > INT_MAX / im->bands) {
7f73fb 
-        err = IMAGING_CODEC_MEMORY;
7f73fb 
-        goto sgi_finish_decode;
7f73fb 
-    }
7f73fb 
-
7f73fb 
     /* Allocate memory for RLE tables and rows */
7f73fb 
     free(state->buffer);
7f73fb 
     state->buffer = NULL;
7f73fb 
     /* malloc overflow check above */
7f73fb 
     state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
7f73fb 
-    c->tablen = im->bands * im->ysize;
7f73fb 
     c->starttab = calloc(c->tablen, sizeof(UINT32));
7f73fb 
     c->lengthtab = calloc(c->tablen, sizeof(UINT32));
7f73fb 
     if (!state->buffer ||
7f73fb 
--
7f73fb 
2.29.2
7f73fb
7f73fb 
From 18aa14484fa63dabcafea63cf0b7bfb4066e979c Mon Sep 17 00:00:00 2001
7f73fb 
From: Eric Soroos <eric-github@soroos.net>
7f73fb 
Date: Fri, 30 Oct 2020 09:57:23 +0000
7f73fb 
Subject: [PATCH 2/2] Make the SGI code return -1 as an error flag, error in
7f73fb 
 state
7f73fb
7f73fb 
---
7f73fb 
 src/libImaging/SgiRleDecode.c | 16 ++++++++++------
7f73fb 
 1 file changed, 10 insertions(+), 6 deletions(-)
7f73fb
7f73fb 
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
7f73fb 
index c256169..2259159 100644
7f73fb 
--- a/src/libImaging/SgiRleDecode.c
7f73fb 
+++ b/src/libImaging/SgiRleDecode.c
7f73fb 
@@ -110,7 +110,8 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
7f73fb 
     /* size check */
7f73fb 
     if (im->xsize > INT_MAX / im->bands ||
7f73fb 
         im->ysize > INT_MAX / im->bands) {
7f73fb 
-        return IMAGING_CODEC_MEMORY;
7f73fb 
+        state->errcode = IMAGING_CODEC_MEMORY;
7f73fb 
+        return -1;
7f73fb 
     }
7f73fb
7f73fb 
     /* Get all data from File descriptor */
7f73fb 
@@ -125,12 +126,14 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
7f73fb 
        Check here before we allocate any memory
7f73fb 
     */
7f73fb 
     if (c->bufsize < 8*c->tablen) {
7f73fb 
-        return IMAGING_CODEC_MEMORY;
7f73fb 
+        state->errcode = IMAGING_CODEC_OVERRUN;
7f73fb 
+        return -1;
7f73fb 
     }
7f73fb
7f73fb 
     ptr = malloc(sizeof(UINT8) * c->bufsize);
7f73fb 
     if (!ptr) {
7f73fb 
-        return IMAGING_CODEC_MEMORY;
7f73fb 
+        state->errcode = IMAGING_CODEC_MEMORY;
7f73fb 
+        return -1;
7f73fb 
     }
7f73fb 
     _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
7f73fb 
     _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
7f73fb 
@@ -178,7 +181,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
7f73fb
7f73fb 
             if (c->rleoffset + c->rlelength > c->bufsize) {
7f73fb 
                 state->errcode = IMAGING_CODEC_OVERRUN;
7f73fb 
-                return -1;
7f73fb 
+                goto sgi_finish_decode;
7f73fb 
             }
7f73fb
7f73fb 
             /* row decompression */
7f73fb 
@@ -190,7 +193,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
7f73fb 
             }
7f73fb 
             if (status == -1) {
7f73fb 
                 state->errcode = IMAGING_CODEC_OVERRUN;
7f73fb 
-                return -1;
7f73fb 
+                goto sgi_finish_decode;
7f73fb 
             } else if (status == 1) {
7f73fb 
                 goto sgi_finish_decode;
7f73fb 
             }
7f73fb 
@@ -211,7 +214,8 @@ sgi_finish_decode: ;
7f73fb 
     free(c->lengthtab);
7f73fb 
     free(ptr);
7f73fb 
     if (err != 0){
7f73fb 
-        return err;
7f73fb 
+        state->errcode=err;
7f73fb 
+        return -1;
7f73fb 
     }
7f73fb 
     return state->count - c->bufsize;
7f73fb 
 }
7f73fb 
--
7f73fb 
2.29.2
7f73fb

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation