From 1c5294ac1560722d01f09295d4c9903e7c5f672a Mon Sep 17 00:00:00 2001 From: rwx403335 Date: Tue, 22 Feb 2022 09:08:43 +0800 Subject: [PATCH] bugfix on 41495 --- backport-CVE-2021-41495.patch | 182 +++++++++++++--------------------- numpy.spec | 5 +- 2 files changed, 73 insertions(+), 114 deletions(-) diff --git a/backport-CVE-2021-41495.patch b/backport-CVE-2021-41495.patch index a6bb897..9dee45f 100644 --- a/backport-CVE-2021-41495.patch +++ b/backport-CVE-2021-41495.patch @@ -53,44 +53,24 @@ DescrNew does not accept NULL as input. Co-authored-by: Sebastian Berg --- - numpy/core/src/multiarray/_multiarray_tests.c.src | 4 +-- - numpy/core/src/multiarray/arrayobject.c | 3 +++ - numpy/core/src/multiarray/buffer.c | 6 +++++ - numpy/core/src/multiarray/ctors.c | 24 +++++++++++++++++- - numpy/core/src/multiarray/descriptor.c | 30 +++++++++++++++++------ - numpy/core/src/multiarray/dtypemeta.c | 8 ++++++ - numpy/core/src/multiarray/getset.c | 13 ++++++---- - numpy/core/src/multiarray/methods.c | 16 ++++++++++++ - numpy/core/src/multiarray/nditer_constr.c | 11 ++++----- - numpy/core/src/multiarray/scalarapi.c | 3 +++ - numpy/core/src/multiarray/scalartypes.c.src | 10 +++++--- - 11 files changed, 103 insertions(+), 25 deletions(-) -diff --git a/numpy/core/src/multiarray/_multiarray_tests.c.src b/numpy/core/src/multiarray/_multiarray_tests.c.src -index 3693762..fd7c1d0 100644 ---- a/numpy/core/src/multiarray/_multiarray_tests.c.src -+++ b/numpy/core/src/multiarray/_multiarray_tests.c.src -@@ -643,14 +643,12 @@ static PyObject * - fromstring_null_term_c_api(PyObject *dummy, PyObject *byte_obj) - { - char *string; -- PyArray_Descr *descr; - - string = PyBytes_AsString(byte_obj); - if (string == NULL) { - return NULL; - } -- descr = PyArray_DescrNewFromType(NPY_FLOAT64); -- return PyArray_FromString(string, -1, descr, -1, " "); -+ return PyArray_FromString(string, -1, NULL, -1, " "); - } - - +--- + numpy/core/src/multiarray/arrayobject.c | 6 ++++++ + numpy/core/src/multiarray/buffer.c | 6 ++++++ + numpy/core/src/multiarray/ctors.c | 23 +++++++++++++++++++++- + numpy/core/src/multiarray/descriptor.c | 30 ++++++++++++++++++++++------- + numpy/core/src/multiarray/getset.c | 13 ++++++++----- + numpy/core/src/multiarray/methods.c | 16 +++++++++++++++ + numpy/core/src/multiarray/nditer_constr.c | 11 +++++------ + numpy/core/src/multiarray/scalarapi.c | 6 ++++++ + numpy/core/src/multiarray/scalartypes.c.src | 10 +++++++--- + 9 files changed, 99 insertions(+), 22 deletions(-) + diff --git a/numpy/core/src/multiarray/arrayobject.c b/numpy/core/src/multiarray/arrayobject.c -index 3f080d9..4c20fc1 100644 +index d20dd63..e7c1ea2 100644 --- a/numpy/core/src/multiarray/arrayobject.c +++ b/numpy/core/src/multiarray/arrayobject.c -@@ -986,6 +986,9 @@ _strings_richcompare(PyArrayObject *self, PyArrayObject *other, int cmp_op, +@@ -1023,6 +1023,9 @@ _strings_richcompare(PyArrayObject *self, PyArrayObject *other, int cmp_op, if (PyArray_TYPE(self) == NPY_STRING && PyArray_DESCR(other)->type_num == NPY_UNICODE) { PyArray_Descr* unicode = PyArray_DescrNew(PyArray_DESCR(other)); @@ -100,11 +80,21 @@ index 3f080d9..4c20fc1 100644 unicode->elsize = PyArray_DESCR(self)->elsize << 2; new = PyArray_FromAny((PyObject *)self, unicode, 0, 0, 0, NULL); +@@ -1036,6 +1039,9 @@ _strings_richcompare(PyArrayObject *self, PyArrayObject *other, int cmp_op, + ((PyArray_DESCR(other)->type_num == NPY_STRING) || + (PyArray_ISNOTSWAPPED(self) != PyArray_ISNOTSWAPPED(other)))) { + PyArray_Descr* unicode = PyArray_DescrNew(PyArray_DESCR(self)); ++ if(unicode == NULL){ ++ return NULL; ++ } + + if (PyArray_DESCR(other)->type_num == NPY_STRING) { + unicode->elsize = PyArray_DESCR(other)->elsize << 2; diff --git a/numpy/core/src/multiarray/buffer.c b/numpy/core/src/multiarray/buffer.c -index d10122c..d14f87a 100644 +index d8ad802..c633778 100644 --- a/numpy/core/src/multiarray/buffer.c +++ b/numpy/core/src/multiarray/buffer.c -@@ -1048,12 +1048,18 @@ _descriptor_from_pep3118_format_fast(char const *s, PyObject **result) +@@ -1117,12 +1117,18 @@ _descriptor_from_pep3118_format_fast(char *s, PyObject **result) } descr = PyArray_DescrFromType(type_num); @@ -124,20 +114,20 @@ index d10122c..d14f87a 100644 return 1; diff --git a/numpy/core/src/multiarray/ctors.c b/numpy/core/src/multiarray/ctors.c -index 7b7f977..6991bba 100644 +index e72e602..da237e2 100644 --- a/numpy/core/src/multiarray/ctors.c +++ b/numpy/core/src/multiarray/ctors.c -@@ -668,6 +668,9 @@ PyArray_NewFromDescr_int( - PyArrayObject_fields *fa; +@@ -928,6 +928,9 @@ PyArray_NewFromDescr_int(PyTypeObject *subtype, PyArray_Descr *descr, int nd, + int i; npy_intp nbytes; + if (descr == NULL) { + return NULL; + } - if (nd > NPY_MAXDIMS || nd < 0) { - PyErr_Format(PyExc_ValueError, - "number of dimensions must be within [0, %d]", NPY_MAXDIMS); -@@ -1137,6 +1140,9 @@ PyArray_New( + if (descr->subarray) { + PyObject *ret; + npy_intp newdims[2*NPY_MAXDIMS]; +@@ -1314,6 +1317,9 @@ PyArray_New(PyTypeObject *subtype, int nd, npy_intp *dims, int type_num, return NULL; } PyArray_DESCR_REPLACE(descr); @@ -147,7 +137,7 @@ index 7b7f977..6991bba 100644 descr->elsize = itemsize; } new = PyArray_NewFromDescr(subtype, descr, nd, dims, strides, -@@ -1162,6 +1168,9 @@ _dtype_from_buffer_3118(PyObject *memoryview) +@@ -1339,6 +1345,9 @@ _dtype_from_buffer_3118(PyObject *memoryview) * terminate. */ descr = PyArray_DescrNewFromType(NPY_STRING); @@ -157,7 +147,7 @@ index 7b7f977..6991bba 100644 descr->elsize = view->itemsize; } return descr; -@@ -3559,6 +3568,10 @@ PyArray_FromFile(FILE *fp, PyArray_Descr *dtype, npy_intp num, char *sep) +@@ -3631,6 +3640,10 @@ PyArray_FromFile(FILE *fp, PyArray_Descr *dtype, npy_intp num, char *sep) PyArrayObject *ret; size_t nread = 0; @@ -168,7 +158,7 @@ index 7b7f977..6991bba 100644 if (PyDataType_REFCHK(dtype)) { PyErr_SetString(PyExc_ValueError, "Cannot read into object array"); -@@ -3626,6 +3639,9 @@ PyArray_FromBuffer(PyObject *buf, PyArray_Descr *type, +@@ -3693,6 +3706,9 @@ PyArray_FromBuffer(PyObject *buf, PyArray_Descr *type, int itemsize; int writeable = 1; @@ -178,7 +168,7 @@ index 7b7f977..6991bba 100644 if (PyDataType_REFCHK(type)) { PyErr_SetString(PyExc_ValueError, -@@ -3833,14 +3849,20 @@ NPY_NO_EXPORT PyObject * +@@ -3925,11 +3941,16 @@ NPY_NO_EXPORT PyObject * PyArray_FromIter(PyObject *obj, PyArray_Descr *dtype, npy_intp count) { PyObject *value; @@ -196,15 +186,11 @@ index 7b7f977..6991bba 100644 if (iter == NULL) { goto done; } -+ - if (PyDataType_ISUNSIZED(dtype)) { - PyErr_SetString(PyExc_ValueError, - "Must specify length when using variable-size data-type."); diff --git a/numpy/core/src/multiarray/descriptor.c b/numpy/core/src/multiarray/descriptor.c -index 0c53905..a5cb6a9 100644 +index e7a4b6c..6e5bc19 100644 --- a/numpy/core/src/multiarray/descriptor.c +++ b/numpy/core/src/multiarray/descriptor.c -@@ -1381,6 +1381,9 @@ PyArray_DescrNewFromType(int type_num) +@@ -1318,6 +1318,9 @@ PyArray_DescrNewFromType(int type_num) PyArray_Descr *new; old = PyArray_DescrFromType(type_num); @@ -214,16 +200,16 @@ index 0c53905..a5cb6a9 100644 new = PyArray_DescrNew(old); Py_DECREF(old); return new; -@@ -2341,7 +2344,7 @@ arraydescr_new(PyTypeObject *subtype, - } - +@@ -2225,7 +2228,7 @@ arraydescr_new(PyTypeObject *NPY_UNUSED(subtype), + PyObject *args, PyObject *kwds) + { PyObject *odescr, *metadata=NULL; - PyArray_Descr *descr, *conv; + PyArray_Descr *conv; npy_bool align = NPY_FALSE; npy_bool copy = NPY_FALSE; npy_bool copied = NPY_FALSE; -@@ -2363,9 +2366,10 @@ arraydescr_new(PyTypeObject *subtype, +@@ -2251,9 +2254,10 @@ arraydescr_new(PyTypeObject *NPY_UNUSED(subtype), /* Get a new copy of it unless it's already a copy */ if (copy && conv->fields == Py_None) { @@ -237,7 +223,7 @@ index 0c53905..a5cb6a9 100644 copied = NPY_TRUE; } -@@ -2375,10 +2379,11 @@ arraydescr_new(PyTypeObject *subtype, +@@ -2263,10 +2267,11 @@ arraydescr_new(PyTypeObject *NPY_UNUSED(subtype), * underlying dictionary */ if (!copied) { @@ -252,7 +238,7 @@ index 0c53905..a5cb6a9 100644 } if ((conv->metadata != NULL)) { /* -@@ -3047,6 +3052,9 @@ PyArray_DescrNewByteorder(PyArray_Descr *self, char newendian) +@@ -2983,6 +2988,9 @@ PyArray_DescrNewByteorder(PyArray_Descr *self, char newendian) char endian; new = PyArray_DescrNew(self); @@ -262,7 +248,7 @@ index 0c53905..a5cb6a9 100644 endian = new->byteorder; if (endian != NPY_IGNORE) { if (newendian == NPY_SWAP) { -@@ -3073,6 +3081,10 @@ PyArray_DescrNewByteorder(PyArray_Descr *self, char newendian) +@@ -3009,6 +3017,10 @@ PyArray_DescrNewByteorder(PyArray_Descr *self, char newendian) int len, i; newfields = PyDict_New(); @@ -272,8 +258,8 @@ index 0c53905..a5cb6a9 100644 + } /* make new dictionary with replaced PyArray_Descr Objects */ while (PyDict_Next(self->fields, &pos, &key, &value)) { - if (NPY_TITLE_KEY(key, value)) { -@@ -3114,6 +3126,10 @@ PyArray_DescrNewByteorder(PyArray_Descr *self, char newendian) + if NPY_TITLE_KEY(key, value) { +@@ -3045,6 +3057,10 @@ PyArray_DescrNewByteorder(PyArray_Descr *self, char newendian) Py_DECREF(new->subarray->base); new->subarray->base = PyArray_DescrNewByteorder( self->subarray->base, newendian); @@ -284,41 +270,11 @@ index 0c53905..a5cb6a9 100644 } return new; } -diff --git a/numpy/core/src/multiarray/dtypemeta.c b/numpy/core/src/multiarray/dtypemeta.c -index cd489d5..53f38e8 100644 ---- a/numpy/core/src/multiarray/dtypemeta.c -+++ b/numpy/core/src/multiarray/dtypemeta.c -@@ -153,6 +153,9 @@ string_discover_descr_from_pyobject( - "string to large to store inside array."); - } - PyArray_Descr *res = PyArray_DescrNewFromType(cls->type_num); -+ if (res == NULL) { -+ return NULL; -+ } - res->elsize = (int)itemsize; - return res; - } -@@ -171,10 +174,15 @@ void_discover_descr_from_pyobject( - } - if (PyBytes_Check(obj)) { - PyArray_Descr *descr = PyArray_DescrNewFromType(NPY_VOID); -+ if (descr == NULL) { -+ return NULL; -+ } - Py_ssize_t itemsize = PyBytes_Size(obj); - if (itemsize > NPY_MAX_INT) { - PyErr_SetString(PyExc_TypeError, - "byte-like to large to store inside array."); -+ Py_DECREF(descr); -+ return NULL; - } - descr->elsize = (int)itemsize; - return descr; diff --git a/numpy/core/src/multiarray/getset.c b/numpy/core/src/multiarray/getset.c -index a4f972b..d640684 100644 +index c5577c1..1496859 100644 --- a/numpy/core/src/multiarray/getset.c +++ b/numpy/core/src/multiarray/getset.c -@@ -698,15 +698,18 @@ _get_part(PyArrayObject *self, int imag) +@@ -742,15 +742,18 @@ _get_part(PyArrayObject *self, int imag) } type = PyArray_DescrFromType(float_type_num); @@ -343,10 +299,10 @@ index a4f972b..d640684 100644 ret = (PyArrayObject *)PyArray_NewFromDescrAndBase( Py_TYPE(self), diff --git a/numpy/core/src/multiarray/methods.c b/numpy/core/src/multiarray/methods.c -index 33f78df..2edbc23 100644 +index c3040b4..af7f92a 100644 --- a/numpy/core/src/multiarray/methods.c +++ b/numpy/core/src/multiarray/methods.c -@@ -1337,6 +1337,10 @@ array_sort(PyArrayObject *self, +@@ -1259,6 +1259,10 @@ array_sort(PyArrayObject *self, PyObject *args, PyObject *kwds) return NULL; } newd = PyArray_DescrNew(saved); @@ -357,7 +313,7 @@ index 33f78df..2edbc23 100644 Py_DECREF(newd->names); newd->names = new_name; ((PyArrayObject_fields *)self)->descr = newd; -@@ -1462,6 +1466,10 @@ array_argsort(PyArrayObject *self, +@@ -1381,6 +1385,10 @@ array_argsort(PyArrayObject *self, PyObject *args, PyObject *kwds) return NULL; } newd = PyArray_DescrNew(saved); @@ -368,7 +324,7 @@ index 33f78df..2edbc23 100644 Py_DECREF(newd->names); newd->names = new_name; ((PyArrayObject_fields *)self)->descr = newd; -@@ -1519,6 +1527,10 @@ array_argpartition(PyArrayObject *self, +@@ -1436,6 +1444,10 @@ array_argpartition(PyArrayObject *self, PyObject *args, PyObject *kwds) return NULL; } newd = PyArray_DescrNew(saved); @@ -379,7 +335,7 @@ index 33f78df..2edbc23 100644 Py_DECREF(newd->names); newd->names = new_name; ((PyArrayObject_fields *)self)->descr = newd; -@@ -2150,6 +2161,10 @@ array_setstate(PyArrayObject *self, PyObject *args) +@@ -2051,6 +2063,10 @@ array_setstate(PyArrayObject *self, PyObject *args) } else { fa->descr = PyArray_DescrNew(typecode); @@ -391,10 +347,10 @@ index 33f78df..2edbc23 100644 PyArray_DESCR(self)->byteorder = NPY_LITTLE; } diff --git a/numpy/core/src/multiarray/nditer_constr.c b/numpy/core/src/multiarray/nditer_constr.c -index 0b9717a..f82a962 100644 +index 18a2cc8..3462518 100644 --- a/numpy/core/src/multiarray/nditer_constr.c +++ b/numpy/core/src/multiarray/nditer_constr.c -@@ -1128,13 +1128,12 @@ npyiter_prepare_one_operand(PyArrayObject **op, +@@ -1116,13 +1116,12 @@ npyiter_prepare_one_operand(PyArrayObject **op, if (op_flags & NPY_ITER_NBO) { /* Check byte order */ if (!PyArray_ISNBO((*op_dtype)->byteorder)) { @@ -409,16 +365,21 @@ index 0b9717a..f82a962 100644 + PyArray_DescrNewByteorder(*op_dtype, NPY_NATIVE)); + if (*op_dtype == NULL) { + return 0; -+ } ++ } NPY_IT_DBG_PRINT("Iterator: Setting NPY_OP_ITFLAG_CAST " "because of NPY_ITER_NBO\n"); /* Indicate that byte order or alignment needs fixing */ diff --git a/numpy/core/src/multiarray/scalarapi.c b/numpy/core/src/multiarray/scalarapi.c -index 564352f..edbe595 100644 +index bc435d1..44b3a8c 100644 --- a/numpy/core/src/multiarray/scalarapi.c +++ b/numpy/core/src/multiarray/scalarapi.c -@@ -625,6 +625,9 @@ PyArray_DescrFromScalar(PyObject *sc) +@@ -558,8 +558,14 @@ PyArray_DescrFromScalar(PyObject *sc) } + + descr = PyArray_DescrFromTypeObject((PyObject *)Py_TYPE(sc)); ++ if (descr == NULL) { ++ return NULL; ++ } if (PyDataType_ISUNSIZED(descr)) { PyArray_DESCR_REPLACE(descr); + if (descr == NULL) { @@ -426,15 +387,15 @@ index 564352f..edbe595 100644 + } type_num = descr->type_num; if (type_num == NPY_STRING) { - descr->elsize = PyBytes_GET_SIZE(sc); + descr->elsize = PyString_GET_SIZE(sc); diff --git a/numpy/core/src/multiarray/scalartypes.c.src b/numpy/core/src/multiarray/scalartypes.c.src -index 9077618..af98145 100644 +index 52de312..2ff21c9 100644 --- a/numpy/core/src/multiarray/scalartypes.c.src +++ b/numpy/core/src/multiarray/scalartypes.c.src -@@ -3212,12 +3212,16 @@ void_arrtype_new(PyTypeObject *type, PyObject *args, PyObject *kwds) +@@ -3068,12 +3068,16 @@ void_arrtype_new(PyTypeObject *type, PyObject *args, PyObject *NPY_UNUSED(kwds)) } ((PyVoidScalarObject *)ret)->obval = destptr; - Py_SET_SIZE((PyVoidScalarObject *)ret, (int) memu); + Py_SIZE((PyVoidScalarObject *)ret) = (int) memu; - ((PyVoidScalarObject *)ret)->descr = - PyArray_DescrNewFromType(NPY_VOID); - ((PyVoidScalarObject *)ret)->descr->elsize = (int) memu; @@ -454,8 +415,3 @@ index 9077618..af98145 100644 -- 1.8.3.1 ---- a/numpy/core/src/multiarray/arrayobject.c -+++ b/numpy/core/src/multiarray/arrayobject.c --- -1.8.3.1 - diff --git a/numpy.spec b/numpy.spec index 0f0d06d..411ee22 100644 --- a/numpy.spec +++ b/numpy.spec @@ -2,7 +2,7 @@ Name: numpy Version: 1.21.4 -Release: 3 +Release: 4 Epoch: 1 Summary: A fast multidimensional array facility for Python @@ -105,6 +105,9 @@ popd &> /dev/null %changelog +* Tue Feb 22 2022 renhongxun - 1.21.4-4 +- fix bugfix + * Tue Feb 08 2022 renhongxun - 1.21.4-3 - fix CVE-2021-41495 -- Gitee