From 2977337cfc98fc615db21a8b3af09ef7a7e8b926 Mon Sep 17 00:00:00 2001 From: Markeryang <747675909@qq.com> Date: Thu, 6 Aug 2020 10:33:42 +0800 Subject: [PATCH 1/5] Fix CVE-2020-10177/10378/11538/10994 Fix CVE-2020-10177/10378/11538/10994 --- 0004-CVE-2020-10177-1.patch | 41 ++++++++++++++ 0005-CVE-2020-10177-2.patch | 53 ++++++++++++++++++ 0006-CVE-2020-10177-3.patch | 49 ++++++++++++++++ 0007-CVE-2020-10177-4.patch | 40 +++++++++++++ 0008-CVE-2020-10177-5.patch | 33 +++++++++++ 0009-CVE-2020-10177-6.patch | 71 +++++++++++++++++++++++ 0010-CVE-2020-10177-7.patch | 43 ++++++++++++++ 0011-CVE-2020-10177-8.patch | 21 +++++++ 0012-CVE-2020-10378.patch | 25 +++++++++ 0013-CVE-2020-11538.patch | 53 ++++++++++++++++++ 0014-CVE-2020-10994-1.patch | 109 ++++++++++++++++++++++++++++++++++++ 0015-CVE-2020-10994-2.patch | 22 ++++++++ 12 files changed, 560 insertions(+) create mode 100644 0004-CVE-2020-10177-1.patch create mode 100644 0005-CVE-2020-10177-2.patch create mode 100644 0006-CVE-2020-10177-3.patch create mode 100644 0007-CVE-2020-10177-4.patch create mode 100644 0008-CVE-2020-10177-5.patch create mode 100644 0009-CVE-2020-10177-6.patch create mode 100644 0010-CVE-2020-10177-7.patch create mode 100644 0011-CVE-2020-10177-8.patch create mode 100644 0012-CVE-2020-10378.patch create mode 100644 0013-CVE-2020-11538.patch create mode 100644 0014-CVE-2020-10994-1.patch create mode 100644 0015-CVE-2020-10994-2.patch diff --git a/0004-CVE-2020-10177-1.patch b/0004-CVE-2020-10177-1.patch new file mode 100644 index 0000000..39c52bb --- /dev/null +++ b/0004-CVE-2020-10177-1.patch @@ -0,0 +1,41 @@ +From c66d8aa75436f334f686fe32bca8e414bcdd18e6 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Mon, 2 Mar 2020 22:57:23 +0000 +Subject: [PATCH] Fli issue 1 + +--- + src/libImaging/FliDecode.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c +index 6f48c07d41..484f1ce686 100644 +--- a/src/libImaging/FliDecode.c ++++ b/src/libImaging/FliDecode.c +@@ -165,14 +165,26 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + break; + case 15: + /* FLI BRUN chunk */ ++ /* data = ptr + 6 */ + for (y = 0; y < state->ysize; y++) { + UINT8* out = (UINT8*) im->image[y]; + data += 1; /* ignore packetcount byte */ + for (x = 0; x < state->xsize; x += i) { ++ if (data + 2 > ptr + bytes ) { ++ /* Out of Bounds Read issue, guaranteed to try to read 2 from data */ ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } + if (data[0] & 0x80) { + i = 256 - data[0]; +- if (x + i > state->xsize) ++ if (x + i > state->xsize) { + break; /* safety first */ ++ } ++ if (data + i + 1 > ptr + bytes ) { ++ /* Out of Bounds Read issue */ ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } + memcpy(out + x, data + 1, i); + data += i + 1; + } else { diff --git a/0005-CVE-2020-10177-2.patch b/0005-CVE-2020-10177-2.patch new file mode 100644 index 0000000..0d5d885 --- /dev/null +++ b/0005-CVE-2020-10177-2.patch @@ -0,0 +1,53 @@ +From f6926a041b4b544fd2ced3752542afb6c8c19405 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 5 Mar 2020 09:11:13 +0000 +Subject: [PATCH] Refactor to macro + +--- + src/libImaging/FliDecode.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c +index 484f1ce686..d53b4a7fd1 100644 +--- a/src/libImaging/FliDecode.c ++++ b/src/libImaging/FliDecode.c +@@ -24,7 +24,12 @@ + #define I32(ptr)\ + ((ptr)[0] + ((ptr)[1] << 8) + ((ptr)[2] << 16) + ((ptr)[3] << 24)) + +- ++#define ERR_IF_DATA_OOB(offset) \ ++ if ((data + (offset)) > ptr + bytes) {\ ++ state->errcode = IMAGING_CODEC_OVERRUN; \ ++ return -1; \ ++ } ++ + int + ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + { +@@ -170,21 +175,15 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + UINT8* out = (UINT8*) im->image[y]; + data += 1; /* ignore packetcount byte */ + for (x = 0; x < state->xsize; x += i) { +- if (data + 2 > ptr + bytes ) { +- /* Out of Bounds Read issue, guaranteed to try to read 2 from data */ +- state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; +- } ++ /* Out of Bounds Read issue, guaranteed to try to read 2 from data */ ++ ERR_IF_DATA_OOB(2) + if (data[0] & 0x80) { + i = 256 - data[0]; + if (x + i > state->xsize) { + break; /* safety first */ + } +- if (data + i + 1 > ptr + bytes ) { +- /* Out of Bounds Read issue */ +- state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; +- } ++ /* Out of Bounds read issue */ ++ ERR_IF_DATA_OOB(i+1) + memcpy(out + x, data + 1, i); + data += i + 1; + } else { diff --git a/0006-CVE-2020-10177-3.patch b/0006-CVE-2020-10177-3.patch new file mode 100644 index 0000000..f76fbb0 --- /dev/null +++ b/0006-CVE-2020-10177-3.patch @@ -0,0 +1,49 @@ +From b4e439d6d7fd986cd6b4c7f9ca18830d79dacd44 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 5 Mar 2020 09:11:50 +0000 +Subject: [PATCH] Fix OOB Reads in SS2 Chunk + +--- + src/libImaging/FliDecode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c +index d53b4a7fd1..c404361557 100644 +--- a/src/libImaging/FliDecode.c ++++ b/src/libImaging/FliDecode.c +@@ -83,10 +83,12 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + break; /* ignored; handled by Python code */ + case 7: + /* FLI SS2 chunk (word delta) */ ++ /* OOB ok, we've got 10 bytes min on entry */ + lines = I16(data); data += 2; + for (l = y = 0; l < lines && y < state->ysize; l++, y++) { + UINT8* buf = (UINT8*) im->image[y]; + int p, packets; ++ ERR_IF_DATA_OOB(2) + packets = I16(data); data += 2; + while (packets & 0x8000) { + /* flag word */ +@@ -101,11 +103,14 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + /* store last byte (used if line width is odd) */ + buf[state->xsize-1] = (UINT8) packets; + } ++ ERR_IF_DATA_OOB(2) + packets = I16(data); data += 2; + } + for (p = x = 0; p < packets; p++) { ++ ERR_IF_DATA_OOB(2) + x += data[0]; /* pixel skip */ + if (data[1] >= 128) { ++ ERR_IF_DATA_OOB(4) + i = 256-data[1]; /* run */ + if (x + i + i > state->xsize) + break; +@@ -118,6 +123,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + i = 2 * (int) data[1]; /* chunk */ + if (x + i > state->xsize) + break; ++ ERR_IF_DATA_OOB(2+i) + memcpy(buf + x, data + 2, i); + data += 2 + i; + x += i; diff --git a/0007-CVE-2020-10177-4.patch b/0007-CVE-2020-10177-4.patch new file mode 100644 index 0000000..76b3b19 --- /dev/null +++ b/0007-CVE-2020-10177-4.patch @@ -0,0 +1,40 @@ +From c88b0204d7c930e3bd72626ae6ea078571cc0ea7 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 5 Mar 2020 09:21:35 +0000 +Subject: [PATCH] Fix OOB in LC packet + +--- + src/libImaging/FliDecode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c +index c404361557..2316fa814d 100644 +--- a/src/libImaging/FliDecode.c ++++ b/src/libImaging/FliDecode.c +@@ -140,22 +140,26 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + break; + case 12: + /* FLI LC chunk (byte delta) */ ++ /* OOB Check ok, we have 10 bytes here */ + y = I16(data); ymax = y + I16(data+2); data += 4; + for (; y < ymax && y < state->ysize; y++) { + UINT8* out = (UINT8*) im->image[y]; + int p, packets = *data++; + for (p = x = 0; p < packets; p++, x += i) { ++ ERR_IF_DATA_OOB(2) + x += data[0]; /* skip pixels */ + if (data[1] & 0x80) { + i = 256-data[1]; /* run */ + if (x + i > state->xsize) + break; ++ ERR_IF_DATA_OOB(3) + memset(out + x, data[2], i); + data += 3; + } else { + i = data[1]; /* chunk */ + if (x + i > state->xsize) + break; ++ ERR_IF_DATA_OOB(2+i) + memcpy(out + x, data + 2, i); + data += i + 2; + } diff --git a/0008-CVE-2020-10177-5.patch b/0008-CVE-2020-10177-5.patch new file mode 100644 index 0000000..3a3f5a3 --- /dev/null +++ b/0008-CVE-2020-10177-5.patch @@ -0,0 +1,33 @@ +From c5edc361fd6450f805a6a444723b0f68190b1d0c Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 5 Mar 2020 09:51:32 +0000 +Subject: [PATCH] Fix OOB Advance Values + +--- + src/libImaging/FliDecode.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c +index 2316fa814d..ca9e00327f 100644 +--- a/src/libImaging/FliDecode.c ++++ b/src/libImaging/FliDecode.c +@@ -83,7 +83,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + break; /* ignored; handled by Python code */ + case 7: + /* FLI SS2 chunk (word delta) */ +- /* OOB ok, we've got 10 bytes min on entry */ ++ /* OOB ok, we've got 4 bytes min on entry */ + lines = I16(data); data += 2; + for (l = y = 0; l < lines && y < state->ysize; l++, y++) { + UINT8* buf = (UINT8*) im->image[y]; +@@ -229,6 +229,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + return -1; + } + advance = I32(ptr); ++ if (advance < 0 || advance > bytes) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } + ptr += advance; + bytes -= advance; + } diff --git a/0009-CVE-2020-10177-6.patch b/0009-CVE-2020-10177-6.patch new file mode 100644 index 0000000..6617153 --- /dev/null +++ b/0009-CVE-2020-10177-6.patch @@ -0,0 +1,71 @@ +From 8d4f3c0c5f2fecf175aeb895e9c2d6d06d85bdc9 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 5 Mar 2020 10:01:28 +0000 +Subject: [PATCH] Fix OOB Read in FLI Copy Chunk + +--- + src/libImaging/FliDecode.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c +index ca9e00327f..98bc037681 100644 +--- a/src/libImaging/FliDecode.c ++++ b/src/libImaging/FliDecode.c +@@ -86,7 +86,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + /* OOB ok, we've got 4 bytes min on entry */ + lines = I16(data); data += 2; + for (l = y = 0; l < lines && y < state->ysize; l++, y++) { +- UINT8* buf = (UINT8*) im->image[y]; ++ UINT8* local_buf = (UINT8*) im->image[y]; + int p, packets; + ERR_IF_DATA_OOB(2) + packets = I16(data); data += 2; +@@ -98,10 +98,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; + } +- buf = (UINT8*) im->image[y]; ++ local_buf = (UINT8*) im->image[y]; + } else { + /* store last byte (used if line width is odd) */ +- buf[state->xsize-1] = (UINT8) packets; ++ local_buf[state->xsize-1] = (UINT8) packets; + } + ERR_IF_DATA_OOB(2) + packets = I16(data); data += 2; +@@ -115,8 +115,8 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + if (x + i + i > state->xsize) + break; + for (j = 0; j < i; j++) { +- buf[x++] = data[2]; +- buf[x++] = data[3]; ++ local_buf[x++] = data[2]; ++ local_buf[x++] = data[3]; + } + data += 2 + 2; + } else { +@@ -124,7 +124,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + if (x + i > state->xsize) + break; + ERR_IF_DATA_OOB(2+i) +- memcpy(buf + x, data + 2, i); ++ memcpy(local_buf + x, data + 2, i); + data += 2 + i; + x += i; + } +@@ -213,9 +213,13 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + break; + case 16: + /* COPY chunk */ ++ if (state->xsize > bytes/state->ysize) { ++ /* not enough data for frame */ ++ return ptr - buf; /* bytes consumed */ ++ } + for (y = 0; y < state->ysize; y++) { +- UINT8* buf = (UINT8*) im->image[y]; +- memcpy(buf, data, state->xsize); ++ UINT8* local_buf = (UINT8*) im->image[y]; ++ memcpy(local_buf, data, state->xsize); + data += state->xsize; + } + break; diff --git a/0010-CVE-2020-10177-7.patch b/0010-CVE-2020-10177-7.patch new file mode 100644 index 0000000..ec3672f --- /dev/null +++ b/0010-CVE-2020-10177-7.patch @@ -0,0 +1,43 @@ +From 088ce4df981b70fbec140ee54417bcb49a7dffca Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 5 Mar 2020 10:46:27 +0000 +Subject: [PATCH] comments + +--- + src/libImaging/FliDecode.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c +index 98bc037681..16ddf3a49f 100644 +--- a/src/libImaging/FliDecode.c ++++ b/src/libImaging/FliDecode.c +@@ -140,7 +140,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + break; + case 12: + /* FLI LC chunk (byte delta) */ +- /* OOB Check ok, we have 10 bytes here */ ++ /* OOB Check ok, we have 4 bytes min here */ + y = I16(data); ymax = y + I16(data+2); data += 4; + for (; y < ymax && y < state->ysize; y++) { + UINT8* out = (UINT8*) im->image[y]; +@@ -180,19 +180,17 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + break; + case 15: + /* FLI BRUN chunk */ +- /* data = ptr + 6 */ ++ /* OOB, ok, we've got 4 bytes min on entry */ + for (y = 0; y < state->ysize; y++) { + UINT8* out = (UINT8*) im->image[y]; + data += 1; /* ignore packetcount byte */ + for (x = 0; x < state->xsize; x += i) { +- /* Out of Bounds Read issue, guaranteed to try to read 2 from data */ + ERR_IF_DATA_OOB(2) + if (data[0] & 0x80) { + i = 256 - data[0]; + if (x + i > state->xsize) { + break; /* safety first */ + } +- /* Out of Bounds read issue */ + ERR_IF_DATA_OOB(i+1) + memcpy(out + x, data + 1, i); + data += i + 1; diff --git a/0011-CVE-2020-10177-8.patch b/0011-CVE-2020-10177-8.patch new file mode 100644 index 0000000..fe6789b --- /dev/null +++ b/0011-CVE-2020-10177-8.patch @@ -0,0 +1,21 @@ +From 5b490fc413dfab2d52de46a58905c25d9badb650 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Tue, 10 Mar 2020 20:17:33 +0000 +Subject: [PATCH] additional FLI check + +--- + src/libImaging/FliDecode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c +index 16ddf3a49f..108e1edf93 100644 +--- a/src/libImaging/FliDecode.c ++++ b/src/libImaging/FliDecode.c +@@ -144,6 +144,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + y = I16(data); ymax = y + I16(data+2); data += 4; + for (; y < ymax && y < state->ysize; y++) { + UINT8* out = (UINT8*) im->image[y]; ++ ERR_IF_DATA_OOB(1) + int p, packets = *data++; + for (p = x = 0; p < packets; p++, x += i) { + ERR_IF_DATA_OOB(2) diff --git a/0012-CVE-2020-10378.patch b/0012-CVE-2020-10378.patch new file mode 100644 index 0000000..35c2461 --- /dev/null +++ b/0012-CVE-2020-10378.patch @@ -0,0 +1,25 @@ +From 6a83e4324738bb0452fbe8074a995b1c73f08de7 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Mon, 9 Mar 2020 20:22:06 +0000 +Subject: [PATCH] Fix OOB Access on PcxDecode.c + +--- + src/libImaging/PcxDecode.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c +index 9e9504ce5f..e5a38f4bec 100644 +--- a/src/libImaging/PcxDecode.c ++++ b/src/libImaging/PcxDecode.c +@@ -22,10 +22,7 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, Py_ssize_t byt + UINT8 n; + UINT8* ptr; + +- if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) { +- state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; +- } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) { ++ if ((state->xsize * state->bits + 7) / 8 > state->bytes) { + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; + } diff --git a/0013-CVE-2020-11538.patch b/0013-CVE-2020-11538.patch new file mode 100644 index 0000000..427b908 --- /dev/null +++ b/0013-CVE-2020-11538.patch @@ -0,0 +1,53 @@ +From 394d6a180a4b63a149a223b13e98a3209f837147 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Sat, 28 Mar 2020 13:00:46 +0000 +Subject: [PATCH] Track number of pixels, not the number of runs + +--- + src/libImaging/SgiRleDecode.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index 1ba56b8c7b..3f9400a5bf 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf) + static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize) + { + UINT8 pixel, count; ++ int x = 0; + + for (;n > 0; n--) + { +@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize) + count = pixel & RLE_MAX_RUN; + if (!count) + return count; +- if (count > xsize) { ++ if (x + count > xsize) { + return -1; + } ++ x += count; + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; +@@ -63,6 +65,7 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize) + { + UINT8 pixel, count; + ++ int x = 0; + + for (;n > 0; n--) + { +@@ -73,9 +76,10 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize) + count = pixel & RLE_MAX_RUN; + if (!count) + return count; +- if (count > xsize) { ++ if (x + count > xsize) { + return -1; + } ++ x += count; + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; diff --git a/0014-CVE-2020-10994-1.patch b/0014-CVE-2020-10994-1.patch new file mode 100644 index 0000000..edb77c1 --- /dev/null +++ b/0014-CVE-2020-10994-1.patch @@ -0,0 +1,109 @@ +From cf6da6b79080a8c16984102fdc85f7ce28dca613 Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Mon, 9 Mar 2020 22:09:49 +0000 +Subject: [PATCH] Fix for OOB Read in DecodeJpeg2k + +--- + src/libImaging/Jpeg2KDecode.c | 60 +++++++++++++++++++++++++---------- + 1 file changed, 43 insertions(+), 17 deletions(-) + +diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c +index f2e437dda2..6cf8b8e9c5 100644 +--- a/src/libImaging/Jpeg2KDecode.c ++++ b/src/libImaging/Jpeg2KDecode.c +@@ -110,6 +110,7 @@ j2ku_gray_l(opj_image_t *in, const JPEG2KTILEINFO *tileinfo, + if (shift < 0) + offset += 1 << (-shift - 1); + ++ /* csiz*h*w + offset = tileinfo.datasize */ + switch (csiz) { + case 1: + for (y = 0; y < h; ++y) { +@@ -557,8 +558,10 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) + opj_dparameters_t params; + OPJ_COLOR_SPACE color_space; + j2k_unpacker_t unpack = NULL; +- size_t buffer_size = 0; +- unsigned n; ++ size_t buffer_size = 0, tile_bytes = 0; ++ unsigned n, tile_height, tile_width; ++ int components; ++ + + stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE); + +@@ -703,8 +706,44 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) + tile_info.x1 = (tile_info.x1 + correction) >> context->reduce; + tile_info.y1 = (tile_info.y1 + correction) >> context->reduce; + ++ /* Check the tile bounds; if the tile is outside the image area, ++ or if it has a negative width or height (i.e. the coordinates are ++ swapped), bail. */ ++ if (tile_info.x0 >= tile_info.x1 ++ || tile_info.y0 >= tile_info.y1 ++ || tile_info.x0 < image->x0 ++ || tile_info.y0 < image->y0 ++ || tile_info.x1 - image->x0 > im->xsize ++ || tile_info.y1 - image->y0 > im->ysize) { ++ state->errcode = IMAGING_CODEC_BROKEN; ++ state->state = J2K_STATE_FAILED; ++ goto quick_exit; ++ } ++ ++ /* Sometimes the tile_info.datasize we get back from openjpeg ++ is is less than numcomps*w*h, and we overflow in the ++ shuffle stage */ ++ ++ tile_width = tile_info.x1 - tile_info.x0; ++ tile_height = tile_info.y1 - tile_info.y0; ++ components = tile_info.nb_comps == 3 ? 4 : tile_info.nb_comps; ++ if (( tile_width > UINT_MAX / components ) || ++ ( tile_height > UINT_MAX / components ) || ++ ( tile_width > UINT_MAX / (tile_height * components )) || ++ ( tile_height > UINT_MAX / (tile_width * components ))) { ++ state->errcode = IMAGING_CODEC_BROKEN; ++ state->state = J2K_STATE_FAILED; ++ goto quick_exit; ++ } ++ ++ tile_bytes = tile_width * tile_height * components; ++ ++ if (tile_bytes > tile_info.data_size) { ++ tile_info.data_size = tile_bytes; ++ } ++ + if (buffer_size < tile_info.data_size) { +- /* malloc check ok, tile_info.data_size from openjpeg */ ++ /* malloc check ok, overflow and tile size sanity check above */ + UINT8 *new = realloc (state->buffer, tile_info.data_size); + if (!new) { + state->errcode = IMAGING_CODEC_MEMORY; +@@ -715,6 +754,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) + buffer_size = tile_info.data_size; + } + ++ + if (!opj_decode_tile_data(codec, + tile_info.tile_index, + (OPJ_BYTE *)state->buffer, +@@ -725,20 +765,6 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) + goto quick_exit; + } + +- /* Check the tile bounds; if the tile is outside the image area, +- or if it has a negative width or height (i.e. the coordinates are +- swapped), bail. */ +- if (tile_info.x0 >= tile_info.x1 +- || tile_info.y0 >= tile_info.y1 +- || tile_info.x0 < image->x0 +- || tile_info.y0 < image->y0 +- || tile_info.x1 - image->x0 > im->xsize +- || tile_info.y1 - image->y0 > im->ysize) { +- state->errcode = IMAGING_CODEC_BROKEN; +- state->state = J2K_STATE_FAILED; +- goto quick_exit; +- } +- + unpack(image, &tile_info, state->buffer, im); + } + diff --git a/0015-CVE-2020-10994-2.patch b/0015-CVE-2020-10994-2.patch new file mode 100644 index 0000000..685f84e --- /dev/null +++ b/0015-CVE-2020-10994-2.patch @@ -0,0 +1,22 @@ +From c5e9de15b1b5e082626c68d443098ded36a15fc8 Mon Sep 17 00:00:00 2001 +From: Hugo van Kemenade +Date: Tue, 31 Mar 2020 11:09:32 +0300 +Subject: [PATCH] Fix typo + +--- + src/libImaging/Jpeg2KDecode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c +index 6cf8b8e9c5..d304511d1a 100644 +--- a/src/libImaging/Jpeg2KDecode.c ++++ b/src/libImaging/Jpeg2KDecode.c +@@ -721,7 +721,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state) + } + + /* Sometimes the tile_info.datasize we get back from openjpeg +- is is less than numcomps*w*h, and we overflow in the ++ is less than numcomps*w*h, and we overflow in the + shuffle stage */ + + tile_width = tile_info.x1 - tile_info.x0; -- Gitee From d792fc3f1ff512aa93d2854ac909106800dbe178 Mon Sep 17 00:00:00 2001 From: Markeryang <747675909@qq.com> Date: Thu, 6 Aug 2020 10:45:24 +0800 Subject: [PATCH 2/5] update python-pillow.spec. --- python-pillow.spec | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/python-pillow.spec b/python-pillow.spec index 02b0009..3989729 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -5,16 +5,28 @@ Name: python-pillow Version: 5.3.0 -Release: 4 +Release: 5 Summary: Python image processing library License: MIT URL: http://python-pillow.github.io/ Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz -Patch0000: 0000-CVE-2019-16865-1.patch -Patch0001: 0001-CVE-2019-16865-2.patch -Patch0002: 0002-CVE-2019-16865-3.patch -Patch0003: 0003-CVE-2019-16865-4.patch +Patch0: 0000-CVE-2019-16865-1.patch +Patch1: 0001-CVE-2019-16865-2.patch +Patch2: 0002-CVE-2019-16865-3.patch +Patch3: 0003-CVE-2019-16865-4.patch +Patch4: 0004-CVE-2020-10177-1.patch +Patch5: 0005-CVE-2020-10177-2.patch +Patch6: 0006-CVE-2020-10177-3.patch +Patch7: 0007-CVE-2020-10177-4.patch +Patch8: 0008-CVE-2020-10177-5.patch +Patch9: 0009-CVE-2020-10177-6.patch +Patch10: 0010-CVE-2020-10177-7.patch +Patch11: 0011-CVE-2020-10177-8.patch +Patch12: 0012-CVE-2020-10378.patch +Patch13: 0013-CVE-2020-11538.patch +Patch14: 0014-CVE-2020-10994-1.patch +Patch15: 0015-CVE-2020-10994-2.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel @@ -168,6 +180,9 @@ popd %doc docs/_build_py3/html %changelog +* Thu Aug 6 2020 yanglongkang - 5.3.0-5 +- fix CVE-2020-10177 CVE-2020-10378 CVE-2020-11538 CVE-2020-10994 + * Wed Mar 11 2020 hy - 5.3.0-4 - fix CVE-2019-16865 * Thu Dec 12 2019 Senlin Xia - 5.3.0-3 -- Gitee From b9599a1c1a46534e2083f08cdc484ec0c251a437 Mon Sep 17 00:00:00 2001 From: Markeryang <747675909@qq.com> Date: Thu, 6 Aug 2020 10:58:19 +0800 Subject: [PATCH 3/5] update python-pillow.spec. --- python-pillow.spec | 68 ---------------------------------------------- 1 file changed, 68 deletions(-) diff --git a/python-pillow.spec b/python-pillow.spec index 3989729..ceba5ce 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -30,61 +30,17 @@ Patch15: 0015-CVE-2020-10994-2.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel -BuildRequires: python2-cffi python2-devel python2-numpy python2-olefile python2-setuptools -BuildRequires: python2-sphinx python2-sphinx_rtd_theme python2-tkinter BuildRequires: python3-cffi python3-devel python3-numpy python3-olefile BuildRequires: python3-setuptools python3-sphinx python3-sphinx_rtd_theme python3-tkinter Requires: ghostscript -%global __provides_exclude_from ^%{python2_sitearch}/PIL/.*\\.so$ %global __provides_exclude_from ^%{python3_sitearch}/PIL/.*\\.so$ %description Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \ Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift. - -%package -n python2-pillow -Summary: Python 2 image processing library -%{?python_provide:%python_provide python2-pillow} -Provides: python-imaging = %{version}-%{release} python2-imaging = %{version}-%{release} -Provides: python2-pillow-tk = %{version}-%{release} python2-pillow-qt = %{version}-%{release} -Provides: python-imaging-tk = %{version}-%{release} python2-imaging-tk = %{version}-%{release} -Provides: python-imaging-qt = %{version}-%{release} python2-imaging-qt = %{version}-%{release} -Requires: python2-olefile python2-tkinter python2-PyQt4 - -Obsoletes: python2-pillow-tk < %{version}-%{release} python2-pillow-qt < %{version}-%{release} -%{?python_provide:%python_provide python2-pillow-tk} -%{?python_provide:%python_provide python2-pillow-qt} - -%description -n python2-pillow -Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \ -Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift. - - -%package -n python2-pillow-devel -Summary: Development files for pillow -Requires: python2-devel libjpeg-devel zlib-devel python2-pillow = %{version}-%{release} -%{?python_provide:%python_provide python2-pillow-devel} -Provides: python-imaging-devel = %{version}-%{release} python2-imaging-devel = %{version}-%{release} - -%description -n python2-pillow-devel -Development files for pillow. - -%package -n python2-pillow-help -Summary: Documentation for pillow -BuildArch: noarch -Requires: python2-pillow = %{version}-%{release} -%{?python_provide:%python_provide python2-pillow-doc} -Provides: python-imaging-doc = %{version}-%{release} python2-imaging-doc = %{version}-%{release} -Provides: python2-pillow-doc = %{version}-%{release} -Obsoletes: python2-pillow-doc < %{version}-%{release} - -%description -n python2-pillow-help -Documentation for pillow. - - %package -n python3-pillow Summary: Python 3 image processing library %{?python_provide:%python_provide python3-pillow} @@ -125,30 +81,17 @@ Documentation for pillow. %autosetup -p1 -n Pillow-%{version} %build -%py2_build -PYTHONPATH=$PWD/build/%py2_libbuilddir make -C docs html BUILDDIR=_build_py2 SPHINXBUILD=sphinx-build-%python2_version -find . -name "docs/_build_py2/html/.buildinfo" -exec rm {} \; %py3_build PYTHONPATH=$PWD/build/%py3_libbuilddir make -C docs html BUILDDIR=_build_py3 SPHINXBUILD=sphinx-build-%python3_version find . -name "docs/_build_py3/html/.buildinfo" -exec rm {} \; %install -mkdir -p %{buildroot}/%{py2_incdir}/Imaging -install -m 644 src/libImaging/*.h %{buildroot}/%{py2_incdir}/Imaging -%py2_install mkdir -p %{buildroot}/%{py3_incdir}/Imaging install -m 644 src/libImaging/*.h %{buildroot}/%{py3_incdir}/Imaging %py3_install %check -ln -s $PWD/Images $PWD/build/%py2_libbuilddir/Images -cp -R $PWD/Tests $PWD/build/%py2_libbuilddir/Tests -install $PWD/selftest.py $PWD/build/%py2_libbuilddir/selftest.py -pushd build/%py2_libbuilddir -PYTHONPATH=$PWD %{__python2} selftest.py -popd - ln -s $PWD/Images $PWD/build/%py3_libbuilddir/Images cp -R $PWD/Tests $PWD/build/%py3_libbuilddir/Tests install $PWD/selftest.py $PWD/build/%py3_libbuilddir/selftest.py @@ -156,17 +99,6 @@ pushd build/%py3_libbuilddir PYTHONPATH=$PWD %{__python3} selftest.py popd -%files -n python2-pillow -%doc README.rst CHANGES.rst -%license docs/COPYING -%{python2_sitearch}/* - -%files -n python2-pillow-devel -%{py2_incdir}/Imaging/ - -%files -n python2-pillow-help -%doc docs/_build_py2/html - %files -n python3-pillow %doc README.rst CHANGES.rst %license docs/COPYING -- Gitee From ac6178f60a58e83d85acd02dfc9a9863d4973ee0 Mon Sep 17 00:00:00 2001 From: Markeryang <747675909@qq.com> Date: Thu, 6 Aug 2020 11:09:03 +0800 Subject: [PATCH 4/5] update python-pillow.spec. --- python-pillow.spec | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/python-pillow.spec b/python-pillow.spec index ceba5ce..f950a3b 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -23,10 +23,9 @@ Patch8: 0008-CVE-2020-10177-5.patch Patch9: 0009-CVE-2020-10177-6.patch Patch10: 0010-CVE-2020-10177-7.patch Patch11: 0011-CVE-2020-10177-8.patch -Patch12: 0012-CVE-2020-10378.patch -Patch13: 0013-CVE-2020-11538.patch -Patch14: 0014-CVE-2020-10994-1.patch -Patch15: 0015-CVE-2020-10994-2.patch +Patch12: 0012-CVE-2020-11538.patch +Patch13: 0013-CVE-2020-10994-1.patch +Patch14: 0014-CVE-2020-10994-2.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel -- Gitee From 4f75642c16682de22ef235d681d3c0b02d6abd8d Mon Sep 17 00:00:00 2001 From: Markeryang <747675909@qq.com> Date: Thu, 6 Aug 2020 11:10:09 +0800 Subject: [PATCH 5/5] update python-pillow.spec. --- python-pillow.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/python-pillow.spec b/python-pillow.spec index f950a3b..0ad4566 100644 --- a/python-pillow.spec +++ b/python-pillow.spec @@ -23,9 +23,9 @@ Patch8: 0008-CVE-2020-10177-5.patch Patch9: 0009-CVE-2020-10177-6.patch Patch10: 0010-CVE-2020-10177-7.patch Patch11: 0011-CVE-2020-10177-8.patch -Patch12: 0012-CVE-2020-11538.patch -Patch13: 0013-CVE-2020-10994-1.patch -Patch14: 0014-CVE-2020-10994-2.patch +Patch12: 0013-CVE-2020-11538.patch +Patch13: 0014-CVE-2020-10994-1.patch +Patch14: 0015-CVE-2020-10994-2.patch BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel -- Gitee