rpms / python-pillow

Clone
Source Code
GIT

Blame SOURCES/CVE-2021-28678.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-beta c7-ppc64le c8 c8-beta c8s c9s-sig-cloud-openstack-bobcat c9s-sig-cloud-openstack-caracal c9s-sig-cloud-openstack-xena c9s-sig-cloud-openstack-zed
  1.   7c055c161d4d6f9bea3362463d413f8c6eef67ae
  2.   SOURCES
  3.   CVE-2021-28678.patch
Blob History Raw
7c055c 
From eaef29c3696cd021147e692360997f4c12377c60 Mon Sep 17 00:00:00 2001
7c055c 
From: Lumir Balhar <lbalhar@redhat.com>
7c055c 
Date: Mon, 14 Jun 2021 09:19:50 +0200
7c055c 
Subject: [PATCH 2/5] CVE-2021-28678
7c055c
7c055c 
---
7c055c 
 src/PIL/BlpImagePlugin.py | 43 +++++++++++++++++++++------------------
7c055c 
 1 file changed, 23 insertions(+), 20 deletions(-)
7c055c
7c055c 
diff --git a/src/PIL/BlpImagePlugin.py b/src/PIL/BlpImagePlugin.py
7c055c 
index d56d46c..846c83d 100644
7c055c 
--- a/src/PIL/BlpImagePlugin.py
7c055c 
+++ b/src/PIL/BlpImagePlugin.py
7c055c 
@@ -294,33 +294,36 @@ class _BLPBaseDecoder(ImageFile.PyDecoder):
7c055c 
             raise IOError("Truncated Blp file")
7c055c 
         return 0, 0
7c055c
7c055c 
+    def _safe_read(self, length):
7c055c 
+        return ImageFile._safe_read(self.fd, length)
7c055c 
+
7c055c 
     def _read_palette(self):
7c055c 
         ret = []
7c055c 
         for i in range(256):
7c055c 
             try:
7c055c 
-                b, g, r, a = struct.unpack("<4B", self.fd.read(4))
7c055c 
+                b, g, r, a = struct.unpack("<4B", self._safe_read(4))
7c055c 
             except struct.error:
7c055c 
                 break
7c055c 
             ret.append((b, g, r, a))
7c055c 
         return ret
7c055c
7c055c 
     def _read_blp_header(self):
7c055c 
-        self._blp_compression, = struct.unpack("
7c055c 
+        self._blp_compression, = struct.unpack("
7c055c
7c055c 
-        self._blp_encoding, = struct.unpack("
7c055c 
-        self._blp_alpha_depth, = struct.unpack("
7c055c 
-        self._blp_alpha_encoding, = struct.unpack("
7c055c 
-        self._blp_mips, = struct.unpack("
7c055c 
+        self._blp_encoding, = struct.unpack("
7c055c 
+        self._blp_alpha_depth, = struct.unpack("
7c055c 
+        self._blp_alpha_encoding, = struct.unpack("
7c055c 
+        self._blp_mips, = struct.unpack("
7c055c
7c055c 
-        self.size = struct.unpack("
7c055c 
+        self.size = struct.unpack("
7c055c
7c055c 
         if self.magic == b"BLP1":
7c055c 
             # Only present for BLP1
7c055c 
-            self._blp_encoding, = struct.unpack("
7c055c 
-            self._blp_subtype, = struct.unpack("
7c055c 
+            self._blp_encoding, = struct.unpack("
7c055c 
+            self._blp_subtype, = struct.unpack("
7c055c
7c055c 
-        self._blp_offsets = struct.unpack("<16I", self.fd.read(16 * 4))
7c055c 
-        self._blp_lengths = struct.unpack("<16I", self.fd.read(16 * 4))
7c055c 
+        self._blp_offsets = struct.unpack("<16I", self._safe_read(16 * 4))
7c055c 
+        self._blp_lengths = struct.unpack("<16I", self._safe_read(16 * 4))
7c055c
7c055c
7c055c 
 class BLP1Decoder(_BLPBaseDecoder):
7c055c 
@@ -333,7 +336,7 @@ class BLP1Decoder(_BLPBaseDecoder):
7c055c 
             if self._blp_encoding in (4, 5):
7c055c 
                 data = bytearray()
7c055c 
                 palette = self._read_palette()
7c055c 
-                _data = BytesIO(self.fd.read(self._blp_lengths[0]))
7c055c 
+                _data = BytesIO(self._safe_read(self._blp_lengths[0]))
7c055c 
                 while True:
7c055c 
                     try:
7c055c 
                         offset, = struct.unpack("
7c055c 
@@ -355,10 +358,10 @@ class BLP1Decoder(_BLPBaseDecoder):
7c055c 
     def _decode_jpeg_stream(self):
7c055c 
         from PIL.JpegImagePlugin import JpegImageFile
7c055c
7c055c 
-        jpeg_header_size, = struct.unpack("
7c055c 
-        jpeg_header = self.fd.read(jpeg_header_size)
7c055c 
-        self.fd.read(self._blp_offsets[0] - self.fd.tell())  # What IS this?
7c055c 
-        data = self.fd.read(self._blp_lengths[0])
7c055c 
+        jpeg_header_size, = struct.unpack("
7c055c 
+        jpeg_header = self._safe_read(jpeg_header_size)
7c055c 
+        self._safe_read(self._blp_offsets[0] - self.fd.tell())  # What IS this?
7c055c 
+        data = self._safe_read(self._blp_lengths[0])
7c055c 
         data = jpeg_header + data
7c055c 
         data = BytesIO(data)
7c055c 
         image = JpegImageFile(data)
7c055c 
@@ -380,7 +383,7 @@ class BLP2Decoder(_BLPBaseDecoder):
7c055c 
             # Uncompressed or DirectX compression
7c055c
7c055c 
             if self._blp_encoding == BLP_ENCODING_UNCOMPRESSED:
7c055c 
-                _data = BytesIO(self.fd.read(self._blp_lengths[0]))
7c055c 
+                _data = BytesIO(self._safe_read(self._blp_lengths[0]))
7c055c 
                 while True:
7c055c 
                     try:
7c055c 
                         offset, = struct.unpack("
7c055c 
@@ -394,7 +397,7 @@ class BLP2Decoder(_BLPBaseDecoder):
7c055c 
                     linesize = (self.size[0] + 3) // 4 * 8
7c055c 
                     for yb in range((self.size[1] + 3) // 4):
7c055c 
                         for d in decode_dxt1(
7c055c 
-                            self.fd.read(linesize),
7c055c 
+                            self._safe_read(linesize),
7c055c 
                             alpha=bool(self._blp_alpha_depth)
7c055c 
                         ):
7c055c 
                             data += d
7c055c 
@@ -402,13 +405,13 @@ class BLP2Decoder(_BLPBaseDecoder):
7c055c 
                 elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT3:
7c055c 
                     linesize = (self.size[0] + 3) // 4 * 16
7c055c 
                     for yb in range((self.size[1] + 3) // 4):
7c055c 
-                        for d in decode_dxt3(self.fd.read(linesize)):
7c055c 
+                        for d in decode_dxt3(self._safe_read(linesize)):
7c055c 
                             data += d
7c055c
7c055c 
                 elif self._blp_alpha_encoding == BLP_ALPHA_ENCODING_DXT5:
7c055c 
                     linesize = (self.size[0] + 3) // 4 * 16
7c055c 
                     for yb in range((self.size[1] + 3) // 4):
7c055c 
-                        for d in decode_dxt5(self.fd.read(linesize)):
7c055c 
+                        for d in decode_dxt5(self._safe_read(linesize)):
7c055c 
                             data += d
7c055c 
                 else:
7c055c 
                     raise BLPFormatError("Unsupported alpha encoding %r" % (
7c055c 
--
7c055c 
2.31.1
7c055c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation