diff --git a/backport-CVE-2020-35655.patch b/backport-CVE-2020-35655.patch new file mode 100644 index 0000000000000000000000000000000000000000..6418eb2ee63763962a363618c409ee84b3da0f6c --- /dev/null +++ b/backport-CVE-2020-35655.patch @@ -0,0 +1,85 @@ +diff -rupN --no-dereference Pillow-7.2.0/src/libImaging/SgiRleDecode.c Pillow-7.2.0-new/src/libImaging/SgiRleDecode.c +--- Pillow-7.2.0/src/libImaging/SgiRleDecode.c 2020-06-30 09:50:35.000000000 +0200 ++++ Pillow-7.2.0-new/src/libImaging/SgiRleDecode.c 2021-01-15 19:51:18.176808192 +0100 +@@ -112,14 +112,33 @@ ImagingSgiRleDecode(Imaging im, ImagingC + int err = 0; + int status; + ++ /* size check */ ++ if (im->xsize > INT_MAX / im->bands || ++ im->ysize > INT_MAX / im->bands) { ++ state->errcode = IMAGING_CODEC_MEMORY; ++ return -1; ++ } ++ + /* Get all data from File descriptor */ + c = (SGISTATE*)state->context; + _imaging_seek_pyFd(state->fd, 0L, SEEK_END); + c->bufsize = _imaging_tell_pyFd(state->fd); + c->bufsize -= SGI_HEADER_SIZE; ++ ++ c->tablen = im->bands * im->ysize; ++ /* below, we populate the starttab and lentab into the bufsize, ++ each with 4 bytes per element of tablen ++ Check here before we allocate any memory ++ */ ++ if (c->bufsize < 8*c->tablen) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } ++ + ptr = malloc(sizeof(UINT8) * c->bufsize); + if (!ptr) { +- return IMAGING_CODEC_MEMORY; ++ state->errcode = IMAGING_CODEC_MEMORY; ++ return -1; + } + _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET); + _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize); +@@ -134,18 +153,11 @@ ImagingSgiRleDecode(Imaging im, ImagingC + state->ystep = 1; + } + +- if (im->xsize > INT_MAX / im->bands || +- im->ysize > INT_MAX / im->bands) { +- err = IMAGING_CODEC_MEMORY; +- goto sgi_finish_decode; +- } +- + /* Allocate memory for RLE tables and rows */ + free(state->buffer); + state->buffer = NULL; + /* malloc overflow check above */ + state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2); +- c->tablen = im->bands * im->ysize; + c->starttab = calloc(c->tablen, sizeof(UINT32)); + c->lengthtab = calloc(c->tablen, sizeof(UINT32)); + if (!state->buffer || +@@ -176,7 +188,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC + + if (c->rleoffset + c->rlelength > c->bufsize) { + state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; ++ goto sgi_finish_decode; + } + + /* row decompression */ +@@ -188,7 +200,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC + } + if (status == -1) { + state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; ++ goto sgi_finish_decode; + } else if (status == 1) { + goto sgi_finish_decode; + } +@@ -209,7 +221,8 @@ sgi_finish_decode: ; + free(c->lengthtab); + free(ptr); + if (err != 0){ +- return err; ++ state->errcode=err; ++ return -1; + } + return state->count - c->bufsize; + } diff --git a/python-pillow.spec b/python-pillow.spec index 20d8810a5dca4f644bacf81981a64486d563262f..64801925583b0802a0ab8155ae81b485df982d3b 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,7 +5,7 @@ Name: python-pillow Version: 5.3.0 -Release: 11 +Release: 12 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ @@ -27,6 +27,7 @@ Patch0017: CVE-2020-5310.patch Patch0018: CVE-2020-5312.patch Patch0019: CVE-2020-5313.patch Patch0020: backport-CVE-2020-35653.patch +Patch6000: backport-CVE-2020-35655.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel @@ -180,6 +181,9 @@ popd %doc docs/_build_py3/html %changelog +* Wed Feb 24 2021 jinzhimin - 5.3.0-12 +- fix CVE-2020-35655 + * Thu Jan 28 2021 renmingshuai - 5.3.0-11 - Type:cves - ID:CVE-2020-35653