From 72070eeac1016c6b01fe2b6422338c585b23c9c7 Mon Sep 17 00:00:00 2001 From: wangxiao65 <287608437@qq.com> Date: Thu, 28 Jan 2021 10:14:37 +0800 Subject: [PATCH] fix CVE-2020-35653 CVE-2020-35655 --- CVE-2020-35653.patch | 42 ++++++++++++++++++++++++++ CVE-2020-35655-1.patch | 61 +++++++++++++++++++++++++++++++++++++ CVE-2020-35655-2.patch | 68 ++++++++++++++++++++++++++++++++++++++++++ python-pillow.spec | 8 ++++- 4 files changed, 178 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-35653.patch create mode 100644 CVE-2020-35655-1.patch create mode 100644 CVE-2020-35655-2.patch diff --git a/CVE-2020-35653.patch b/CVE-2020-35653.patch new file mode 100644 index 0000000..7ad7ac7 --- /dev/null +++ b/CVE-2020-35653.patch @@ -0,0 +1,42 @@ +From 2f409261eb1228e166868f8f0b5da5cda52e55bf Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 17 Dec 2020 00:17:53 +0100 +Subject: [PATCH] Fix for CVE CVE-2020-35653 - Read Overflow in PCX Decoding. + +* Don't trust the image to specify a buffer size +--- + src/PIL/PcxImagePlugin.py | 9 ++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/PIL/PcxImagePlugin.py b/src/PIL/PcxImagePlugin.py +index b337b7dde2..a24d44b427 100644 +--- a/src/PIL/PcxImagePlugin.py ++++ b/src/PIL/PcxImagePlugin.py +@@ -64,13 +64,13 @@ def _open(self): + version = i8(s[1]) + bits = i8(s[3]) + planes = i8(s[65]) +- stride = i16(s, 66) ++ ignored_stride = i16(s, 66) + logger.debug( + "PCX version %s, bits %s, planes %s, stride %s", + version, + bits, + planes, +- stride, ++ ignored_stride, + ) + + self.info["dpi"] = i16(s, 12), i16(s, 14) +@@ -108,6 +108,11 @@ def _open(self): + self.mode = mode + self._size = bbox[2] - bbox[0], bbox[3] - bbox[1] + ++ # don't trust the passed in stride. Calculate for ourselves. ++ # CVE-2020-35653 ++ stride = (self._size[0] * bits + 7) // 8 ++ stride += stride % 2 ++ + bbox = (0, 0) + self.size + logger.debug("size: %sx%s", *self.size) + diff --git a/CVE-2020-35655-1.patch b/CVE-2020-35655-1.patch new file mode 100644 index 0000000..e28cc1e --- /dev/null +++ b/CVE-2020-35655-1.patch @@ -0,0 +1,61 @@ +From 7e95c63fa7f503f185d3d9eb16b9cee1e54d1e46 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 29 Oct 2020 23:07:15 +0000 +Subject: [PATCH] Fix for SGI Decode buffer overrun CVE-2020-35655 + +* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz. +--- + src/libImaging/SgiRleDecode.c | 23 ++++++++++++------ + 1 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index a03ecd456e..46a9179234 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -112,11 +112,27 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + int err = 0; + int status; + ++ /* size check */ ++ if (im->xsize > INT_MAX / im->bands || ++ im->ysize > INT_MAX / im->bands) { ++ return IMAGING_CODEC_MEMORY; ++ } ++ + /* Get all data from File descriptor */ + c = (SGISTATE*)state->context; + _imaging_seek_pyFd(state->fd, 0L, SEEK_END); + c->bufsize = _imaging_tell_pyFd(state->fd); + c->bufsize -= SGI_HEADER_SIZE; ++ ++ c->tablen = im->bands * im->ysize; ++ /* below, we populate the starttab and lentab into the bufsize, ++ each with 4 bytes per element of tablen ++ Check here before we allocate any memory ++ */ ++ if (c->bufsize < 8*c->tablen) { ++ return IMAGING_CODEC_MEMORY; ++ } ++ + ptr = malloc(sizeof(UINT8) * c->bufsize); + if (!ptr) { + return IMAGING_CODEC_MEMORY; +@@ -134,18 +150,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + state->ystep = 1; + } + +- if (im->xsize > INT_MAX / im->bands || +- im->ysize > INT_MAX / im->bands) { +- err = IMAGING_CODEC_MEMORY; +- goto sgi_finish_decode; +- } +- + /* Allocate memory for RLE tables and rows */ + free(state->buffer); + state->buffer = NULL; + /* malloc overflow check above */ + state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2); +- c->tablen = im->bands * im->ysize; + c->starttab = calloc(c->tablen, sizeof(UINT32)); + c->lengthtab = calloc(c->tablen, sizeof(UINT32)); + if (!state->buffer || diff --git a/CVE-2020-35655-2.patch b/CVE-2020-35655-2.patch new file mode 100644 index 0000000..f4a23fe --- /dev/null +++ b/CVE-2020-35655-2.patch @@ -0,0 +1,68 @@ +From 9a2c9f722f78773e608d44710873437baf3f17d1 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Fri, 30 Oct 2020 09:57:23 +0000 +Subject: [PATCH] Make the SGI code return -1 as an error flag, error in state + +--- + src/libImaging/SgiRleDecode.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index 46a9179234..9a8814b50c 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -115,7 +115,8 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + /* size check */ + if (im->xsize > INT_MAX / im->bands || + im->ysize > INT_MAX / im->bands) { +- return IMAGING_CODEC_MEMORY; ++ state->errcode = IMAGING_CODEC_MEMORY; ++ return -1; + } + + /* Get all data from File descriptor */ +@@ -130,12 +131,14 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + Check here before we allocate any memory + */ + if (c->bufsize < 8*c->tablen) { +- return IMAGING_CODEC_MEMORY; ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; + } + + ptr = malloc(sizeof(UINT8) * c->bufsize); + if (!ptr) { +- return IMAGING_CODEC_MEMORY; ++ state->errcode = IMAGING_CODEC_MEMORY; ++ return -1; + } + _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET); + _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize); +@@ -185,7 +188,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + + if (c->rleoffset + c->rlelength > c->bufsize) { + state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; ++ goto sgi_finish_decode; + } + + /* row decompression */ +@@ -197,7 +200,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + } + if (status == -1) { + state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; ++ goto sgi_finish_decode; + } else if (status == 1) { + goto sgi_finish_decode; + } +@@ -218,7 +221,8 @@ sgi_finish_decode: ; + free(c->lengthtab); + free(ptr); + if (err != 0){ +- return err; ++ state->errcode=err; ++ return -1; + } + return state->count - c->bufsize; + } diff --git a/python-pillow.spec b/python-pillow.spec index 86bab79..b7dab20 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -3,11 +3,14 @@ Name: python-pillow Version: 7.2.0 -Release: 1 +Release: 2 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz +Patch0000: CVE-2020-35653.patch +Patch0001: CVE-2020-35655-1.patch +Patch0002: CVE-2020-35655-2.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel @@ -93,6 +96,9 @@ popd %doc docs/_build_py3/html %changelog +* Thu Jan 28 2021 wangxiao - 7.2.0-2 +- fix CVE-2020-35653 CVE-2020-35655 + * Mon Aug 10 2020 yanglongkang - 7.2.0-1 - update to 7.2.0 -- Gitee