packages/python-pillow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

packages update

Browse Source
This commit is contained in:
liudabo 2021-03-08 16:00:52 +08:00
parent 91219b520e
commit 18b6f63d76
22 changed files with 127 additions and 2952 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
0000-CVE-2019-16865-1.patch
View File

@ -1,62 +0,0 @@
From 5d4b5d152f3408352d600ba97980061ea054e8e9 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sun, 29 Sep 2019 14:16:30 +1000
Subject: [PATCH] Corrected negative seeks
Signed-off-by: hanxinke <hanxinke@huawei.com>
---
src/PIL/PsdImagePlugin.py | 6 ++++--
src/libImaging/RawDecode.c | 11 +++++++++--
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/src/PIL/PsdImagePlugin.py b/src/PIL/PsdImagePlugin.py
index 2d64ecd..e82dda2 100644
--- a/src/PIL/PsdImagePlugin.py
+++ b/src/PIL/PsdImagePlugin.py
@@ -209,9 +209,11 @@ def _layerinfo(file):
# skip over blend flags and extra information
filler = read(12)
name = ""
- size = i32(read(4))
+ size = i32(read(4)) # length of the extra data field
combined = 0
if size:
+ data_end = file.tell() + size
+
length = i32(read(4))
if length:
mask_y = i32(read(4))
@@ -233,7 +235,7 @@ def _layerinfo(file):
name = read(length).decode('latin-1', 'replace')
combined += length + 1
- file.seek(size - combined, 1)
+ file.seek(data_end)
layers.append((name, mode, (x0, y0, x1, y1)))
# get tiles
diff --git a/src/libImaging/RawDecode.c b/src/libImaging/RawDecode.c
index 40c0cb7..d4b7994 100644
--- a/src/libImaging/RawDecode.c
+++ b/src/libImaging/RawDecode.c
@@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
/* get size of image data and padding */
state->bytes = (state->xsize * state->bits + 7) / 8;
- rawstate->skip = (rawstate->stride) ?
- rawstate->stride - state->bytes : 0;
+ if (rawstate->stride) {
+ rawstate->skip = rawstate->stride - state->bytes;
+ if (rawstate->skip < 0) {
+ state->errcode = IMAGING_CODEC_CONFIG;
+ return -1;
+ }
+ } else {
+ rawstate->skip = 0;
+ }
/* check image orientation */
if (state->ystep < 0) {
--
2.19.1

38
0001-CVE-2019-16865-2.patch
View File

@ -1,38 +0,0 @@
From 88d9a3994bc244f14d0f594755ac896a235017c5 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sun, 29 Sep 2019 14:14:38 +1000
Subject: [PATCH] Added decompression bomb checks
Signed-off-by: hanxinke <hanxinke@huawei.com>
---
src/PIL/GifImagePlugin.py | 1 +
src/PIL/IcoImagePlugin.py | 1 +
2 files changed, 2 insertions(+)
diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py
index 107c015..70eebf9 100644
--- a/src/PIL/GifImagePlugin.py
+++ b/src/PIL/GifImagePlugin.py
@@ -252,6 +252,7 @@ class GifImageFile(ImageFile.ImageFile):
self.dispose = None
elif self.disposal_method == 2:
# replace with background colour
+ Image._decompression_bomb_check(self.size)
self.dispose = Image.core.fill("P", self.size,
self.info["background"])
else:
diff --git a/src/PIL/IcoImagePlugin.py b/src/PIL/IcoImagePlugin.py
index 589ef3c..926838d 100644
--- a/src/PIL/IcoImagePlugin.py
+++ b/src/PIL/IcoImagePlugin.py
@@ -167,6 +167,7 @@ class IcoFile(object):
else:
# XOR + AND mask bmp frame
im = BmpImagePlugin.DibImageFile(self.buf)
+ Image._decompression_bomb_check(im.size)
# change tile dimension to only encompass XOR image
im._size = (im.size[0], int(im.size[1] / 2))
--
2.19.1

28
0002-CVE-2019-16865-3.patch
View File

@ -1,28 +0,0 @@
From ab569e61066e1ef4490db730ca13180afe18e461 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sun, 29 Sep 2019 14:15:48 +1000
Subject: [PATCH] Raise error if dimension is a string
Signed-off-by: hanxinke <hanxinke@huawei.com>
---
src/PIL/TiffImagePlugin.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
index 5059a13..05f58e5 100644
--- a/src/PIL/TiffImagePlugin.py
+++ b/src/PIL/TiffImagePlugin.py
@@ -1185,8 +1185,8 @@ class TiffImageFile(ImageFile.ImageFile):
print("- YCbCr subsampling:", self.tag.get(530))
# size
- xsize = self.tag_v2.get(IMAGEWIDTH)
- ysize = self.tag_v2.get(IMAGELENGTH)
+ xsize = int(self.tag_v2.get(IMAGEWIDTH))
+ ysize = int(self.tag_v2.get(IMAGELENGTH))
self._size = xsize, ysize
if DEBUG:
--
2.19.1

89
0003-CVE-2019-16865-4.patch
View File

@ -1,89 +0,0 @@
From 1f90f191cef5f4d18cb229e3717d0b2010e9b434 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Mon, 30 Sep 2019 18:45:43 +1000
Subject: [PATCH] Catch buffer overruns
Signed-off-by: hanxinke <hanxinke@huawei.com>
---
src/libImaging/FliDecode.c | 14 +++++++++++---
src/libImaging/PcxDecode.c | 5 +++++
src/libImaging/SgiRleDecode.c | 5 +++++
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
index 6d22c6c..600528e 100644
--- a/src/libImaging/FliDecode.c
+++ b/src/libImaging/FliDecode.c
@@ -30,7 +30,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
{
UINT8* ptr;
int framesize;
- int c, chunks;
+ int c, chunks, advance;
int l, lines;
int i, j, x = 0, y, ymax;
@@ -59,10 +59,16 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
chunks = I16(ptr+6);
ptr += 16;
+ bytes -= 16;
/* Process subchunks */
for (c = 0; c < chunks; c++) {
- UINT8 *data = ptr + 6;
+ UINT8* data;
+ if (bytes < 10) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
+ data = ptr + 6;
switch (I16(ptr+4)) {
case 4: case 11:
/* FLI COLOR chunk */
@@ -198,7 +204,9 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
state->errcode = IMAGING_CODEC_UNKNOWN;
return -1;
}
- ptr += I32(ptr);
+ advance = I32(ptr);
+ ptr += advance;
+ bytes -= advance;
}
return -1; /* end of frame */
diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
index e5417f1..51de069 100644
--- a/src/libImaging/PcxDecode.c
+++ b/src/libImaging/PcxDecode.c
@@ -22,6 +22,11 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
UINT8 n;
UINT8* ptr;
+ if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
+
ptr = buf;
for (;;) {
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index 9d8e563..39e7b3a 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -156,6 +156,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];
c->rleoffset -= SGI_HEADER_SIZE;
+ if (c->rleoffset + c->rlelength > c->bufsize) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
+
/* row decompression */
if (c->bpc ==1) {
if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
--
2.19.1

30
CVE-2019-19911.patch
View File

@ -1,30 +0,0 @@
From 774e53bb132461d8d5ebefec1162e29ec0ebc63d Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Wed, 1 Jan 2020 16:07:03 +1100
Subject: [PATCH] Raise an error for an invalid number of bands in FPX image
https://github.com/python-pillow/Pillow/commit/774e53bb132461d8d5ebefec1162e29ec0ebc63d
---
src/PIL/FpxImagePlugin.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/PIL/FpxImagePlugin.py b/src/PIL/FpxImagePlugin.py
index 9f284fd..5f409c8 100644
--- a/src/PIL/FpxImagePlugin.py
+++ b/src/PIL/FpxImagePlugin.py
@@ -101,7 +101,10 @@ class FpxImageFile(ImageFile.ImageFile):
s = prop[0x2000002 | id]
colors = []
- for i in range(i32(s, 4)):
+ bands = i32(s, 4)
+ if bands > 4:
+ raise IOError("Invalid number of bands")
+ for i in range(bands):
# note: for now, we ignore the "uncalibrated" flag
colors.append(i32(s, 8+i*4) & 0x7fffffff)
--
2.27.0

145
CVE-2020-10177.patch
View File

@ -1,145 +0,0 @@
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
index 600528e..2d63bea 100644
--- a/src/libImaging/FliDecode.c
+++ b/src/libImaging/FliDecode.c
@@ -24,6 +24,11 @@
#define I32(ptr)\
((ptr)[0] + ((ptr)[1] << 8) + ((ptr)[2] << 16) + ((ptr)[3] << 24))
+#define ERR_IF_DATA_OOB(offset) \
+ if ((data + (offset)) > ptr + bytes) {\
+ state->errcode = IMAGING_CODEC_OVERRUN; \
+ return -1; \
+ }
int
ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
@@ -75,10 +80,12 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
break; /* ignored; handled by Python code */
case 7:
/* FLI SS2 chunk (word delta) */
+ /* OOB ok, we've got 4 bytes min on entry */
lines = I16(data); data += 2;
for (l = y = 0; l < lines && y < state->ysize; l++, y++) {
- UINT8* buf = (UINT8*) im->image[y];
+ UINT8* local_buf = (UINT8*) im->image[y];
int p, packets;
+ ERR_IF_DATA_OOB(2)
packets = I16(data); data += 2;
while (packets & 0x8000) {
/* flag word */
@@ -88,29 +95,33 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
}
- buf = (UINT8*) im->image[y];
+ local_buf = (UINT8*) im->image[y];
} else {
/* store last byte (used if line width is odd) */
- buf[state->xsize-1] = (UINT8) packets;
+ local_buf[state->xsize-1] = (UINT8) packets;
}
+ ERR_IF_DATA_OOB(2)
packets = I16(data); data += 2;
}
for (p = x = 0; p < packets; p++) {
+ ERR_IF_DATA_OOB(2)
x += data[0]; /* pixel skip */
if (data[1] >= 128) {
+ ERR_IF_DATA_OOB(4)
i = 256-data[1]; /* run */
if (x + i + i > state->xsize)
break;
for (j = 0; j < i; j++) {
- buf[x++] = data[2];
- buf[x++] = data[3];
+ local_buf[x++] = data[2];
+ local_buf[x++] = data[3];
}
data += 2 + 2;
} else {
i = 2 * (int) data[1]; /* chunk */
if (x + i > state->xsize)
break;
- memcpy(buf + x, data + 2, i);
+ ERR_IF_DATA_OOB(2+i)
+ memcpy(local_buf + x, data + 2, i);
data += 2 + i;
x += i;
}
@@ -126,22 +137,26 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
break;
case 12:
/* FLI LC chunk (byte delta) */
+ /* OOB Check ok, we have 10 bytes here */
y = I16(data); ymax = y + I16(data+2); data += 4;
for (; y < ymax && y < state->ysize; y++) {
UINT8* out = (UINT8*) im->image[y];
int p, packets = *data++;
for (p = x = 0; p < packets; p++, x += i) {
+ ERR_IF_DATA_OOB(2)
x += data[0]; /* skip pixels */
if (data[1] & 0x80) {
i = 256-data[1]; /* run */
if (x + i > state->xsize)
break;
+ ERR_IF_DATA_OOB(3)
memset(out + x, data[2], i);
data += 3;
} else {
i = data[1]; /* chunk */
if (x + i > state->xsize)
break;
+ ERR_IF_DATA_OOB(2+i)
memcpy(out + x, data + 2, i);
data += i + 2;
}
@@ -162,14 +177,20 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
break;
case 15:
/* FLI BRUN chunk */
+ /* data = ptr + 6 */
for (y = 0; y < state->ysize; y++) {
UINT8* out = (UINT8*) im->image[y];
data += 1; /* ignore packetcount byte */
for (x = 0; x < state->xsize; x += i) {
+ /* Out of Bounds Read issue, guaranteed to try to read 2 from data */
+ ERR_IF_DATA_OOB(2)
if (data[0] & 0x80) {
i = 256 - data[0];
- if (x + i > state->xsize)
+ if (x + i > state->xsize){
break; /* safety first */
+ }
+ /* Out of Bounds read issue */
+ ERR_IF_DATA_OOB(i+1)
memcpy(out + x, data + 1, i);
data += i + 1;
} else {
@@ -189,9 +210,13 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
break;
case 16:
/* COPY chunk */
+ if (state->xsize > bytes/state->ysize) {
+ /* not enough data for frame */
+ return ptr - buf; /* bytes consumed */
+ }
for (y = 0; y < state->ysize; y++) {
- UINT8* buf = (UINT8*) im->image[y];
- memcpy(buf, data, state->xsize);
+ UINT8* local_buf = (UINT8*) im->image[y];
+ memcpy(local_buf, data, state->xsize);
data += state->xsize;
}
break;
@@ -205,6 +230,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
return -1;
}
advance = I32(ptr);
+ if (advance < 0 || advance > bytes) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
ptr += advance;
bytes -= advance;
}

22
CVE-2020-10378.patch
View File

@ -1,22 +0,0 @@
From 6a83e4324738bb0452fbe8074a995b1c73f08de7 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Mon, 9 Mar 2020 20:22:06 +0000
Subject: [PATCH] Fix OOB Access on PcxDecode.c
---
src/libImaging/PcxDecode.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
index 51de069..bf0eb00 100644
--- a/src/libImaging/PcxDecode.c
+++ b/src/libImaging/PcxDecode.c
@@ -22,7 +22,7 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
UINT8 n;
UINT8* ptr;
- if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
+ if ((state->xsize * state->bits + 7) / 8 > state->bytes) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
}

109
CVE-2020-10994.patch
View File

@ -1,109 +0,0 @@
From cf6da6b79080a8c16984102fdc85f7ce28dca613 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Mon, 9 Mar 2020 22:09:49 +0000
Subject: [PATCH 1/4] Fix for OOB Read in DecodeJpeg2k
---
src/libImaging/Jpeg2KDecode.c | 60 +++++++++++++++++++++++++----------
1 file changed, 43 insertions(+), 17 deletions(-)
diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c
index 9140e00..8c231c1 100644
--- a/src/libImaging/Jpeg2KDecode.c
+++ b/src/libImaging/Jpeg2KDecode.c
@@ -110,6 +110,7 @@ j2ku_gray_l(opj_image_t *in, const JPEG2KTILEINFO *tileinfo,
if (shift < 0)
offset += 1 << (-shift - 1);
+ /* csiz*h*w + offset = tileinfo.datasize */
switch (csiz) {
case 1:
for (y = 0; y < h; ++y) {
@@ -557,8 +558,10 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
opj_dparameters_t params;
OPJ_COLOR_SPACE color_space;
j2k_unpacker_t unpack = NULL;
- size_t buffer_size = 0;
- unsigned n;
+ size_t buffer_size = 0, tile_bytes = 0;
+ unsigned n, tile_height, tile_width;
+ int components;
+
stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);
@@ -703,8 +706,44 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
tile_info.x1 = (tile_info.x1 + correction) >> context->reduce;
tile_info.y1 = (tile_info.y1 + correction) >> context->reduce;
+ /* Check the tile bounds; if the tile is outside the image area,
+ or if it has a negative width or height (i.e. the coordinates are
+ swapped), bail. */
+ if (tile_info.x0 >= tile_info.x1
+ || tile_info.y0 >= tile_info.y1
+ || tile_info.x0 < image->x0
+ || tile_info.y0 < image->y0
+ || tile_info.x1 - image->x0 > im->xsize
+ || tile_info.y1 - image->y0 > im->ysize) {
+ state->errcode = IMAGING_CODEC_BROKEN;
+ state->state = J2K_STATE_FAILED;
+ goto quick_exit;
+ }
+
+ /* Sometimes the tile_info.datasize we get back from openjpeg
+ is less than numcomps*w*h, and we overflow in the
+ shuffle stage */
+
+ tile_width = tile_info.x1 - tile_info.x0;
+ tile_height = tile_info.y1 - tile_info.y0;
+ components = tile_info.nb_comps == 3 ? 4 : tile_info.nb_comps;
+ if (( tile_width > UINT_MAX / components ) ||
+ ( tile_height > UINT_MAX / components ) ||
+ ( tile_width > UINT_MAX / (tile_height * components )) ||
+ ( tile_height > UINT_MAX / (tile_width * components ))) {
+ state->errcode = IMAGING_CODEC_BROKEN;
+ state->state = J2K_STATE_FAILED;
+ goto quick_exit;
+ }
+
+ tile_bytes = tile_width * tile_height * components;
+
+ if (tile_bytes > tile_info.data_size) {
+ tile_info.data_size = tile_bytes;
+ }
+
if (buffer_size < tile_info.data_size) {
- /* malloc check ok, tile_info.data_size from openjpeg */
+ /* malloc check ok, overflow and tile size sanity check above */
UINT8 *new = realloc (state->buffer, tile_info.data_size);
if (!new) {
state->errcode = IMAGING_CODEC_MEMORY;
@@ -715,6 +754,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
buffer_size = tile_info.data_size;
}
+
if (!opj_decode_tile_data(codec,
tile_info.tile_index,
(OPJ_BYTE *)state->buffer,
@@ -725,20 +765,6 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
goto quick_exit;
}
- /* Check the tile bounds; if the tile is outside the image area,
- or if it has a negative width or height (i.e. the coordinates are
- swapped), bail. */
- if (tile_info.x0 >= tile_info.x1
- || tile_info.y0 >= tile_info.y1
- || tile_info.x0 < image->x0
- || tile_info.y0 < image->y0
- || tile_info.x1 - image->x0 > im->xsize
- || tile_info.y1 - image->y0 > im->ysize) {
- state->errcode = IMAGING_CODEC_BROKEN;
- state->state = J2K_STATE_FAILED;
- goto quick_exit;
- }
-
unpack(image, &tile_info, state->buffer, im);
}

55
CVE-2020-11538.patch
View File

@ -1,55 +0,0 @@
From 394d6a180a4b63a149a223b13e98a3209f837147 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Sat, 28 Mar 2020 13:00:46 +0000
Subject: [PATCH 1/4] Track number of pixels, not the number of runs
---
src/libImaging/SgiRleDecode.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index e9b2c0b..087b7b4 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf)
static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
{
UINT8 pixel, count;
+ int x = 0;
for (;n > 0; n--)
{
@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
- if (count > xsize){
+ if (x + count > xsize){
return -1;
}
+ x += count;
if (pixel & RLE_COPY_FLAG) {
while(count--) {
*dest = *src++;
@@ -62,7 +64,8 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
{
UINT8 pixel, count;
-
+
+ int x = 0;
for (;n > 0; n--)
{
@@ -73,9 +76,10 @@ static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
- if (count > xsize){
+ if (x + count > xsize){
return -1;
}
+ x += count;
if (pixel & RLE_COPY_FLAG) {
while(count--) {
memcpy(dest, src, 2);

59
CVE-2020-5310.patch
View File

@ -1,59 +0,0 @@
From 4e2def2539ec13e53a82e06c4b3daf00454100c4 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Wed, 1 Jan 2020 16:38:37 +1100
Subject: [PATCH] Overflow checks for realloc for tiff decoding
https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4
---
src/libImaging/TiffDecode.c | 18 +++++++++++-------
1 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
index 9830238..1f505ff 100644
--- a/src/libImaging/TiffDecode.c
+++ b/src/libImaging/TiffDecode.c
@@ -237,20 +237,26 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int
TIFFSetField(tiff, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RGB);
if (TIFFIsTiled(tiff)) {
- uint32 x, y, tile_y;
+ uint32 x, y, tile_y, row_byte_size;
uint32 tileWidth, tileLength;
UINT8 *new_data;
- state->bytes = TIFFTileSize(tiff);
+ TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tileWidth);
+ TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tileLength);
+
+ // We could use TIFFTileSize, but for YCbCr data it returns subsampled data size
+ row_byte_size = (tileWidth * state->bits + 7) / 8;
- /* overflow check for malloc */
- if (state->bytes > INT_MAX - 1) {
+ /* overflow check for realloc */
+ if (INT_MAX / row_byte_size < tileLength) {
state->errcode = IMAGING_CODEC_MEMORY;
TIFFClose(tiff);
return -1;
}
- /* realloc to fit whole tile */
+ state->bytes = row_byte_size * tileLength;
+
+ /* malloc check above */
new_data = realloc (state->buffer, state->bytes);
if (!new_data) {
state->errcode = IMAGING_CODEC_MEMORY;
@@ -262,8 +268,6 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int
TRACE(("TIFFTileSize: %d\n", state->bytes));
- TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tileWidth);
- TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tileLength);
for (y = state->yoff; y < state->ysize; y += tileLength) {
for (x = state->xoff; x < state->xsize; x += tileWidth) {
--
2.27.0

82
CVE-2020-5311.patch
View File

@ -1,82 +0,0 @@
From be44f0d9923485f3ed3a7a9fd479cf8cf69d814a Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Wed, 1 Jan 2020 14:16:45 +1100
Subject: [PATCH] Catch SGI buffer overruns
---
Tests/test_image.py | 2 ++
src/libImaging/SgiRleDecode.c | 23 +++++++++++++++++------
4 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index 70b0ec5..e9b2c0b 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -25,7 +25,7 @@ static void read4B(UINT32* dest, UINT8* buf)
*dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
}
-static int expandrow(UINT8* dest, UINT8* src, int n, int z)
+static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
{
UINT8 pixel, count;
@@ -37,6 +37,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
+ if (count > xsize){
+ return -1;
+ }
if (pixel & RLE_COPY_FLAG) {
while(count--) {
*dest = *src++;
@@ -56,7 +59,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
return 0;
}
-static int expandrow2(UINT8* dest, const UINT8* src, int n, int z)
+static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
{
UINT8 pixel, count;
@@ -70,6 +73,9 @@ static int expandrow2(UINT8* dest, const UINT8* src, int n, int z)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
+ if (count > xsize){
+ return -1;
+ }
if (pixel & RLE_COPY_FLAG) {
while(count--) {
memcpy(dest, src, 2);
@@ -96,6 +102,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
UINT8 *ptr;
SGISTATE *c;
int err = 0;
+ int status;
/* Get all data from File descriptor */
c = (SGISTATE*)state->context;
@@ -164,13 +171,17 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
/* row decompression */
if (c->bpc ==1) {
- if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
- goto sgi_finish_decode;
+ status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
}
else {
- if(expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands))
- goto sgi_finish_decode;
+ status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
}
+ if (status == -1) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ } else if (status == 1) {
+ goto sgi_finish_decode;
+ }
state->count += c->rlelength;
}

28
CVE-2020-5312.patch
View File

@ -1,28 +0,0 @@
From 93b22b846e0269ee9594ff71a72bec02d2bea8fd Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sat, 21 Dec 2019 18:38:22 +1100
Subject: [PATCH] Catch PCX P mode buffer overrun
https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd
---
src/libImaging/PcxDecode.c | 3 +++
1 files changed, 3 insertions(+)
diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
index bf0eb00..ba76d92 100644
--- a/src/libImaging/PcxDecode.c
+++ b/src/libImaging/PcxDecode.c
@@ -25,6 +25,9 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
if ((state->xsize * state->bits + 7) / 8 > state->bytes) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
+ } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
}
ptr = buf;
--
2.27.0

38
CVE-2020-5313.patch
View File

@ -1,38 +0,0 @@
From a09acd0decd8a87ccce939d5ff65dab59e7d365b Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Wed, 1 Jan 2020 14:14:47 +1100
Subject: [PATCH] Catch FLI buffer overrun
https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b
---
src/libImaging/FliDecode.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
index 2d63bea..06fa307 100644
--- a/src/libImaging/FliDecode.c
+++ b/src/libImaging/FliDecode.c
@@ -45,8 +45,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
return 0;
/* We don't decode anything unless we have a full chunk in the
- input buffer (on the other hand, the Python part of the driver
- makes sure this is always the case) */
+ input buffer */
ptr = buf;
@@ -57,6 +56,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
/* Make sure this is a frame chunk. The Python driver takes
case of other chunk types. */
+ if (bytes < 8) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
if (I16(ptr+4) != 0xF1FA) {
state->errcode = IMAGING_CODEC_UNKNOWN;
return -1;
--
2.27.0

BIN
Pillow-5.3.0.tar.gz
View File

Binary file not shown.

BIN
Pillow-8.1.1.tar.gz Normal file
View File

Binary file not shown.

41
backport-CVE-2020-35653.patch
View File

@ -1,41 +0,0 @@
From 1eff62205ebe9d42a9417955d2955591be69c9bb Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Thu, 17 Dec 2020 00:17:53 +0100
Subject: [PATCH] Fix for CVE CVE-2020-35655 - Read Overflow in PCX Decoding.
commit 2f409261eb1228e166868f8f0b5da5cda52e55bf upstream
* Don't trust the image to specify a buffer size
Conflict:NA
Reference:https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf
---
src/PIL/PcxImagePlugin.py | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/PIL/PcxImagePlugin.py b/src/PIL/PcxImagePlugin.py
index daa58b3..82aa3bb 100644
--- a/src/PIL/PcxImagePlugin.py
+++ b/src/PIL/PcxImagePlugin.py
@@ -63,9 +63,9 @@ class PcxImageFile(ImageFile.ImageFile):
version = i8(s[1])
bits = i8(s[3])
planes = i8(s[65])
- stride = i16(s, 66)
+ ignored_stride = i16(s, 66)
logger.debug("PCX version %s, bits %s, planes %s, stride %s",
- version, bits, planes, stride)
+ version, bits, planes, ignored_stride)
self.info["dpi"] = i16(s, 12), i16(s, 14)
@@ -102,6 +102,11 @@ class PcxImageFile(ImageFile.ImageFile):
self.mode = mode
self._size = bbox[2]-bbox[0], bbox[3]-bbox[1]
+ # don't trust the passed in stride. Calculate for ourselves.
+ # CVE-2020-35655
+ stride = (self._size[0] * bits + 7) // 8
+ stride += stride % 2
+
bbox = (0, 0) + self.size
logger.debug("size: %sx%s", *self.size)
--
2.23.0

93
backport-CVE-2020-35655.patch
View File

@ -1,93 +0,0 @@
From 7e95c63fa7f503f185d3d9eb16b9cee1e54d1e46 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Thu, 29 Oct 2020 23:07:15 +0000
Subject: [PATCH] Fix for SGI Decode buffer overrun CVE-2020-35655
* Independently found by a contributor and sent to Tidelift, and by Google's OSS Fuzz.
---
diff -rupN --no-dereference Pillow-7.2.0/src/libImaging/SgiRleDecode.c Pillow-7.2.0-new/src/libImaging/SgiRleDecode.c
--- Pillow-7.2.0/src/libImaging/SgiRleDecode.c 2020-06-30 09:50:35.000000000 +0200
+++ Pillow-7.2.0-new/src/libImaging/SgiRleDecode.c 2021-01-15 19:51:18.176808192 +0100
@@ -112,14 +112,33 @@ ImagingSgiRleDecode(Imaging im, ImagingC
int err = 0;
int status;
+ /* size check */
+ if (im->xsize > INT_MAX / im->bands ||
+ im->ysize > INT_MAX / im->bands) {
+ state->errcode = IMAGING_CODEC_MEMORY;
+ return -1;
+ }
+
/* Get all data from File descriptor */
c = (SGISTATE*)state->context;
_imaging_seek_pyFd(state->fd, 0L, SEEK_END);
c->bufsize = _imaging_tell_pyFd(state->fd);
c->bufsize -= SGI_HEADER_SIZE;
+
+ c->tablen = im->bands * im->ysize;
+ /* below, we populate the starttab and lentab into the bufsize,
+ each with 4 bytes per element of tablen
+ Check here before we allocate any memory
+ */
+ if (c->bufsize < 8*c->tablen) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
+
ptr = malloc(sizeof(UINT8) * c->bufsize);
if (!ptr) {
- return IMAGING_CODEC_MEMORY;
+ state->errcode = IMAGING_CODEC_MEMORY;
+ return -1;
}
_imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
_imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
@@ -134,18 +153,11 @@ ImagingSgiRleDecode(Imaging im, ImagingC
state->ystep = 1;
}
- if (im->xsize > INT_MAX / im->bands ||
- im->ysize > INT_MAX / im->bands) {
- err = IMAGING_CODEC_MEMORY;
- goto sgi_finish_decode;
- }
-
/* Allocate memory for RLE tables and rows */
free(state->buffer);
state->buffer = NULL;
/* malloc overflow check above */
state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
- c->tablen = im->bands * im->ysize;
c->starttab = calloc(c->tablen, sizeof(UINT32));
c->lengthtab = calloc(c->tablen, sizeof(UINT32));
if (!state->buffer ||
@@ -176,7 +188,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC
if (c->rleoffset + c->rlelength > c->bufsize) {
state->errcode = IMAGING_CODEC_OVERRUN;
- return -1;
+ goto sgi_finish_decode;
}
/* row decompression */
@@ -188,7 +200,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC
}
if (status == -1) {
state->errcode = IMAGING_CODEC_OVERRUN;
- return -1;
+ goto sgi_finish_decode;
} else if (status == 1) {
goto sgi_finish_decode;
}
@@ -209,7 +221,8 @@ sgi_finish_decode: ;
free(c->lengthtab);
free(ptr);
if (err != 0){
- return err;
+ state->errcode=err;
+ return -1;
}
return state->count - c->bufsize;
}

1599
pre-CVE-2020-11538-1.patch
View File

File diff suppressed because it is too large Load Diff

281
python-pillow.spec
View File

@ -1,221 +1,148 @@
%global py2_incdir %(python2 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_inc())')
%global py3_incdir %(python3 -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_inc())')
%global py2_libbuilddir %(python2 -c 'import sys; import sysconfig; print("lib.{p}-{v[0]}.{v[1]}".format(p=sysconfig.get_platform(), v=sys.version_info))')
%global py3_libbuilddir %(python3 -c 'import sys; import sysconfig; print("lib.{p}-{v[0]}.{v[1]}".format(p=sysconfig.get_platform(), v=sys.version_info))')
%global with_docs 0
Name: python-pillow
Version: 8.1.1
Release: 1
Summary: Python image processing library
License: MIT
URL: http://python-pillow.github.io/
Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
Name: python-pillow
Version: 5.3.0
Release: 12
Summary: Python image processing library
License: MIT
URL: http://python-pillow.github.io/
Source0: https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
Patch0000: 0000-CVE-2019-16865-1.patch
Patch0001: 0001-CVE-2019-16865-2.patch
Patch0002: 0002-CVE-2019-16865-3.patch
Patch0003: 0003-CVE-2019-16865-4.patch
Patch0004: CVE-2020-10378.patch
Patch0005: CVE-2020-10177.patch
Patch0006: CVE-2020-10994.patch
Patch0010: replace_copy_operations_with_memcpy.patch
Patch0011: pre-CVE-2020-11538-1.patch
Patch0014: CVE-2020-5311.patch
Patch0015: CVE-2020-11538.patch
Patch0016: CVE-2019-19911.patch
Patch0017: CVE-2020-5310.patch
Patch0018: CVE-2020-5312.patch
Patch0019: CVE-2020-5313.patch
Patch0020: backport-CVE-2020-35653.patch
Patch0021: backport-CVE-2020-35655.patch
BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel
BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel
BuildRequires: python2-cffi python2-devel python2-numpy python2-olefile python2-setuptools
BuildRequires: python2-sphinx python2-sphinx_rtd_theme python2-tkinter
BuildRequires: python3-cffi python3-devel python3-numpy python3-olefile
BuildRequires: python3-setuptools python3-sphinx python3-sphinx_rtd_theme python3-tkinter
Requires: ghostscript
%global __provides_exclude_from ^%{python2_sitearch}/PIL/.*\\.so$
Patch0: python-pillow_spinxwarn.patch
Patch1: python-pillow_sphinx-issues.patch
BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libraqm-devel libtiff-devel
BuildRequires: libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
BuildRequires: python3-qt5 python3-setuptools python3-tkinter
%if 0%{?with_docs}
BuildRequires: make
BuildRequires: python3-sphinx
BuildRequires: python3-sphinx_rtd_theme
BuildRequires: python3-sphinx-removed-in
%endif
Requires: ghostscript
%global __provides_exclude_from ^%{python3_sitearch}/PIL/.*\\.so$
%description
Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \
Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.
%package -n python2-pillow
Summary: Python 2 image processing library
%{?python_provide:%python_provide python2-pillow}
Provides: python-imaging = %{version}-%{release} python2-imaging = %{version}-%{release}
Provides: python2-pillow-tk = %{version}-%{release} python2-pillow-qt = %{version}-%{release}
Provides: python-imaging-tk = %{version}-%{release} python2-imaging-tk = %{version}-%{release}
Provides: python-imaging-qt = %{version}-%{release} python2-imaging-qt = %{version}-%{release}
Requires: python2-olefile python2-tkinter python2-PyQt4
Obsoletes: python2-pillow-tk < %{version}-%{release} python2-pillow-qt < %{version}-%{release}
%{?python_provide:%python_provide python2-pillow-tk}
%{?python_provide:%python_provide python2-pillow-qt}
%description -n python2-pillow
Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \
Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.
%package -n python2-pillow-devel
Summary: Development files for pillow
Requires: python2-devel libjpeg-devel zlib-devel python2-pillow = %{version}-%{release}
%{?python_provide:%python_provide python2-pillow-devel}
Provides: python-imaging-devel = %{version}-%{release} python2-imaging-devel = %{version}-%{release}
%description -n python2-pillow-devel
Development files for pillow.
%package -n python2-pillow-help
Summary: Documentation for pillow
BuildArch: noarch
Requires: python2-pillow = %{version}-%{release}
%{?python_provide:%python_provide python2-pillow-doc}
Provides: python-imaging-doc = %{version}-%{release} python2-imaging-doc = %{version}-%{release}
Provides: python2-pillow-doc = %{version}-%{release}
Obsoletes: python2-pillow-doc < %{version}-%{release}
%description -n python2-pillow-help
Documentation for pillow.
%package -n python3-pillow
Summary: Python 3 image processing library
%package -n python3-pillow
Summary: Python 3 image processing library
%{?python_provide:%python_provide python3-pillow}
Provides: python3-imaging = %{version}-%{release}
Provides: python3-pillow-tk = %{version}-%{release} python3-imaging-tk = %{version}-%{release}
Provides: python3-pillow-qt = %{version}-%{release} python3-imaging-qt = %{version}-%{release}
Requires: python3-olefile python3-tkinter python3-PyQt4
Obsoletes: python3-pillow-tk < %{version}-%{release} python3-pillow-qt < %{version}-%{release}
%{?python_provide:%python_provide python3-pillow-tk}
%{?python_provide:%python_provide python3-pillow-qt}
Provides: python3-imaging = %{version}-%{release}
%description -n python3-pillow
Requires: python3-olefile
%description -n python3-pillow
Pillow is the friendly PIL fork by Alex Clark and Contributors. PIL is the Python Imaging \
Library by Fredrik Lundh and Contributors. As of 2019, Pillow development is supported by Tidelift.
%package -n python3-pillow-devel
Summary: Development files for pillow
Requires: python3-devel libjpeg-devel zlib-devel python3-pillow = %{version}-%{release}
%package -n python3-pillow-devel
Summary: Development files for pillow
Requires: python3-devel libjpeg-devel zlib-devel python3-pillow = %{version}-%{release}
%{?python_provide:%python_provide python3-pillow-devel}
Provides: python3-imaging-devel = %{version}-%{release}
%description -n python3-pillow-devel
Provides: python3-imaging-devel = %{version}-%{release}
%description -n python3-pillow-devel
Development files for pillow.
%package -n python3-pillow-help
Summary: Documentation for pillow
BuildArch: noarch
Requires: python3-pillow = %{version}-%{release}
%package -n python3-pillow-help
Summary: Documentation for pillow
BuildArch: noarch
Requires: python3-pillow = %{version}-%{release}
%{?python_provide:%python_provide python3-pillow-doc}
Provides: python3-imaging-doc = %{version}-%{release} python3-pillow-doc = %{version}-%{release}
Provides: python3-imaging-doc = %{version}-%{release} python3-pillow-doc = %{version}-%{release}
Obsoletes: python3-pillow-doc < %{version}-%{release}
%description -n python3-pillow-help
Documentation for pillow.
%package -n python3-pillow-tk
Summary: Tk interface for pillow
Requires: python3-tkinter
Requires: python3-pillow = %{version}-%{release}
%{?python_provide:%python_provide python3-pillow-tk}
Provides: python3-imaging-tk = %{version}-%{release}
%description -n python3-pillow-tk
Tk interface for %{name}.
%package -n python3-pillow-qt
Summary: Qt pillow image wrapper
Requires: python3-qt5
Requires: python3-pillow = %{version}-%{release}
%{?python_provide:%python_provide python3-pillow-qt}
Provides: python3-imaging-qt = %{version}-%{release}
%description -n python3-pillow-qt
Qt pillow image wrapper.
%prep
%autosetup -p1 -n Pillow-%{version}
%autosetup -p1 -n Pillow-%{version}
%build
%py2_build
PYTHONPATH=$PWD/build/%py2_libbuilddir make -C docs html BUILDDIR=_build_py2 SPHINXBUILD=sphinx-build-%python2_version
find . -name "docs/_build_py2/html/.buildinfo" -exec rm {} \;
%py3_build
%if 0%{?with_docs}
PYTHONPATH=$PWD/build/%py3_libbuilddir make -C docs html BUILDDIR=_build_py3 SPHINXBUILD=sphinx-build-%python3_version
find . -name "docs/_build_py3/html/.buildinfo" -exec rm {} \;
rm -f docs/_build_py3/html/.buildinfo
%endif
%install
mkdir -p %{buildroot}/%{py2_incdir}/Imaging
install -m 644 src/libImaging/*.h %{buildroot}/%{py2_incdir}/Imaging
%py2_install
mkdir -p %{buildroot}/%{py3_incdir}/Imaging
install -m 644 src/libImaging/*.h %{buildroot}/%{py3_incdir}/Imaging
%py3_install
%check
ln -s $PWD/Images $PWD/build/%py2_libbuilddir/Images
cp -R $PWD/Tests $PWD/build/%py2_libbuilddir/Tests
install $PWD/selftest.py $PWD/build/%py2_libbuilddir/selftest.py
pushd build/%py2_libbuilddir
PYTHONPATH=$PWD %{__python2} selftest.py
popd
ln -s $PWD/Images $PWD/build/%py3_libbuilddir/Images
cp -R $PWD/Tests $PWD/build/%py3_libbuilddir/Tests
install $PWD/selftest.py $PWD/build/%py3_libbuilddir/selftest.py
pushd build/%py3_libbuilddir
PYTHONPATH=$PWD %{__python3} selftest.py
popd
%files -n python2-pillow
%doc README.rst CHANGES.rst
%license docs/COPYING
%{python2_sitearch}/*
%files -n python2-pillow-devel
%{py2_incdir}/Imaging/
%files -n python2-pillow-help
%doc docs/_build_py2/html
%files -n python3-pillow
%doc README.rst CHANGES.rst
%doc README.md CHANGES.rst
%license docs/COPYING
%{python3_sitearch}/*
%{python3_sitearch}/PIL/
%{python3_sitearch}/Pillow-%{version}-py%{python3_version}.egg-info
%exclude %{python3_sitearch}/PIL/_imagingtk*
%exclude %{python3_sitearch}/PIL/ImageTk*
%exclude %{python3_sitearch}/PIL/SpiderImagePlugin*
%exclude %{python3_sitearch}/PIL/ImageQt*
%exclude %{python3_sitearch}/PIL/__pycache__/ImageTk*
%exclude %{python3_sitearch}/PIL/__pycache__/SpiderImagePlugin*
%exclude %{python3_sitearch}/PIL/__pycache__/ImageQt*
%files -n python3-pillow-devel
%{py3_incdir}/Imaging/
%files -n python3-pillow-help
%if 0%{?with_docs}
%doc docs/_build_py3/html
%endif
%files -n python3-pillow-tk
%{python3_sitearch}/PIL/_imagingtk*
%{python3_sitearch}/PIL/ImageTk*
%{python3_sitearch}/PIL/SpiderImagePlugin*
%{python3_sitearch}/PIL/__pycache__/ImageTk*
%{python3_sitearch}/PIL/__pycache__/SpiderImagePlugin*
%files -n python3-pillow-qt
%{python3_sitearch}/PIL/ImageQt*
%{python3_sitearch}/PIL/__pycache__/ImageQt*
%changelog
* Wed Feb 24 2021 zhujunhao<zhujunhao8@huawei.com> - 5.3.0-12
- Type:cves
- ID:CVE-2020-35655
- SUG:NA
- DESC:fix CVE-2020-35655
* Thu Jan 28 2021 renmingshuai<renmingshuai@huawei.com> - 5.3.0-11
- Type:cves
- ID:CVE-2020-35653
- SUG:NA
- DESC:fix CVE-2020-35653
* Thu Nov 26 2020 shixuantong<shixuantong@huawei.com> - 5.3.0-10
- Type:cves
- ID:CVE-2020-5310 CVE-2020-5312 CVE-2020-5313
- SUG:NA
- DESC:fix CVE-2020-5310 CVE-2020-5312 CVE-2020-5313
* Wed Nov 25 2020 shixuantong<shixuantong@huawei.com> - 5.3.0-7
- Type:cves
- ID:CVE-2019-19911 CVE-2020-5311
- SUG:NA
- DESC:fix CVE-2019-19911 and change patch name for CVE-2020-5311
* Wed Nov 25 2020 shixuantong<shixuantong@huawei.com> - 5.3.0-6
- Type:cves
- ID:CVE-2020-11538 CVE-2020-10378 CVE-2020-10177 CVE-2020-10994
- SUG:NA
- DESC:fix CVE-2020-11538 CVE-2020-10378 CVE-2020-10177 CVE-2020-10994
* Fri Aug 21 2020 shixuantong <shixuantong@huawei.com> - 5.3.0-5
- add release version for rebuild
* Wed Mar 11 2020 hy <hu.huyan@huawei.com> - 5.3.0-4
- fix CVE-2019-16865
* Thu Dec 12 2019 Senlin Xia <xiasenlin1@huawei.com> - 5.3.0-3
- Package init
* Mon Mar 08 2021 wangye <wangye70@huawei.com> - 8.1.1-1
- Update to 8.1.1

11
python-pillow_sphinx-issues.patch Normal file
View File

@ -0,0 +1,11 @@
diff -rupN --no-dereference Pillow-8.1.1/docs/conf.py Pillow-8.1.1-new/docs/conf.py
--- Pillow-8.1.1/docs/conf.py 2021-03-01 09:24:03.000000000 +0100
+++ Pillow-8.1.1-new/docs/conf.py 2021-03-02 15:10:49.599033773 +0100
@@ -32,7 +32,6 @@ extensions = [
"sphinx.ext.autodoc",
"sphinx.ext.intersphinx",
"sphinx.ext.viewcode",
- "sphinx_issues",
"sphinx_removed_in",
]

12
python-pillow_spinxwarn.patch Normal file
View File

@ -0,0 +1,12 @@
diff -rupN --no-dereference Pillow-8.1.1/docs/Makefile Pillow-8.1.1-new/docs/Makefile
--- Pillow-8.1.1/docs/Makefile 2021-03-01 09:24:03.000000000 +0100
+++ Pillow-8.1.1-new/docs/Makefile 2021-03-02 15:10:49.514033779 +0100
@@ -42,7 +42,7 @@ clean:
-rm -rf $(BUILDDIR)/*
html:
- $(SPHINXBUILD) -b html -W --keep-going $(ALLSPHINXOPTS) $(BUILDDIR)/html
+ $(SPHINXBUILD) -b html --keep-going $(ALLSPHINXOPTS) $(BUILDDIR)/html
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."

257
replace_copy_operations_with_memcpy.patch
View File

@ -1,257 +0,0 @@
From 220bfee19a98a0d5b3fe5a52b51df16dd459c397 Mon Sep 17 00:00:00 2001
From: Rolf Eike Beer <eike@sf-mail.de>
Date: Fri, 29 Jun 2018 22:33:08 +0200
Subject: [PATCH] replace copy operations with memcpy()
https://github.com/python-pillow/Pillow/commit/220bfee19a98a0d5b3fe5a52b51df16dd459c397
This replaces trivial instances where a copy from one pointer to the other
involves no further calculations or casts. The compiler will optimize this to
whatever the platform offers.
---
src/libImaging/Access.c | 35 +++++++++++++----------------------
src/libImaging/Draw.c | 3 +--
src/libImaging/Filter.c | 5 ++---
src/libImaging/Geometry.c | 2 +-
src/libImaging/GetBBox.c | 4 ++--
src/libImaging/Histo.c | 4 ++--
src/libImaging/Unpack.c | 4 ++--
7 files changed, 23 insertions(+), 34 deletions(-)
diff --git a/src/libImaging/Access.c b/src/libImaging/Access.c
index 292968f..8d27a0a 100644
--- a/src/libImaging/Access.c
+++ b/src/libImaging/Access.c
@@ -94,11 +94,11 @@ static void
get_pixel_16L(Imaging im, int x, int y, void* color)
{
UINT8* in = (UINT8*) &im->image[y][x+x];
- UINT16* out = color;
#ifdef WORDS_BIGENDIAN
+ UINT16* out = color;
out[0] = in[0] + (in[1]<<8);
#else
- out[0] = *(UINT16*) in;
+ memcpy(color, in, sizeof(UINT16));
#endif
}
@@ -106,10 +106,10 @@ static void
get_pixel_16B(Imaging im, int x, int y, void* color)
{
UINT8* in = (UINT8*) &im->image[y][x+x];
- UINT16* out = color;
#ifdef WORDS_BIGENDIAN
- out[0] = *(UINT16*) in;
+ memcpy(color, in, sizeof(UINT16));
#else
+ UINT16* out = color;
out[0] = in[1] + (in[0]<<8);
#endif
}
@@ -117,19 +117,18 @@ get_pixel_16B(Imaging im, int x, int y, void* color)
static void
get_pixel_32(Imaging im, int x, int y, void* color)
{
- INT32* out = color;
- out[0] = im->image32[y][x];
+ memcpy(color, &im->image32[y][x], sizeof(INT32));
}
static void
get_pixel_32L(Imaging im, int x, int y, void* color)
{
UINT8* in = (UINT8*) &im->image[y][x*4];
- INT32* out = color;
#ifdef WORDS_BIGENDIAN
+ INT32* out = color;
out[0] = in[0] + (in[1]<<8) + (in[2]<<16) + (in[3]<<24);
#else
- out[0] = *(INT32*) in;
+ memcpy(color, in, sizeof(INT32));
#endif
}
@@ -137,10 +136,10 @@ static void
get_pixel_32B(Imaging im, int x, int y, void* color)
{
UINT8* in = (UINT8*) &im->image[y][x*4];
- INT32* out = color;
#ifdef WORDS_BIGENDIAN
- out[0] = *(INT32*) in;
+ memcpy(color, in, sizeof(INT32));
#else
+ INT32* out = color;
out[0] = in[3] + (in[2]<<8) + (in[1]<<16) + (in[0]<<24);
#endif
}
@@ -153,7 +152,7 @@ put_pixel(Imaging im, int x, int y, const void* color)
if (im->image8)
im->image8[y][x] = *((UINT8*) color);
else
- im->image32[y][x] = *((INT32*) color);
+ memcpy(&im->image32[y][x], color, sizeof(INT32));
}
static void
@@ -165,10 +164,7 @@ put_pixel_8(Imaging im, int x, int y, const void* color)
static void
put_pixel_16L(Imaging im, int x, int y, const void* color)
{
- const char* in = color;
- UINT8* out = (UINT8*) &im->image8[y][x+x];
- out[0] = in[0];
- out[1] = in[1];
+ memcpy(&im->image8[y][x+x], color, 2);
}
static void
@@ -183,12 +179,7 @@ put_pixel_16B(Imaging im, int x, int y, const void* color)
static void
put_pixel_32L(Imaging im, int x, int y, const void* color)
{
- const char* in = color;
- UINT8* out = (UINT8*) &im->image8[y][x*4];
- out[0] = in[0];
- out[1] = in[1];
- out[2] = in[2];
- out[3] = in[3];
+ memcpy(&im->image8[y][x*4], color, 4);
}
static void
@@ -205,7 +196,7 @@ put_pixel_32B(Imaging im, int x, int y, const void* color)
static void
put_pixel_32(Imaging im, int x, int y, const void* color)
{
- im->image32[y][x] = *((INT32*) color);
+ memcpy(&im->image32[y][x], color, sizeof(INT32));
}
void
diff --git a/src/libImaging/Draw.c b/src/libImaging/Draw.c
index d0f374f..3b1ae0c 100644
--- a/src/libImaging/Draw.c
+++ b/src/libImaging/Draw.c
@@ -40,7 +40,6 @@
#define FLOOR(v) ((v) >= 0.0 ? (int) (v) : (int) floor(v))
#define INK8(ink) (*(UINT8*)ink)
-#define INK32(ink) (*(INT32*)ink)
/*
* Rounds around zero (up=away from zero, down=torwards zero)
@@ -555,7 +554,7 @@ DRAW draw32rgba = { point32rgba, hline32rgba, line32rgba, polygon32rgba };
ink = INK8(ink_);\
} else {\
draw = (op) ? &draw32rgba : &draw32; \
- ink = INK32(ink_);\
+ memcpy(&ink, ink_, sizeof(ink)); \
}
int
diff --git a/src/libImaging/Filter.c b/src/libImaging/Filter.c
index 6e4a005..64010ee 100644
--- a/src/libImaging/Filter.c
+++ b/src/libImaging/Filter.c
@@ -124,7 +124,7 @@ ImagingFilter3x3(Imaging imOut, Imaging im, const float* kernel,
UINT8* in1 = (UINT8*) im->image[y+1];
UINT32* out = (UINT32*) imOut->image[y];
- out[0] = ((UINT32*) in0)[0];
+ memcpy(out, in0, sizeof(UINT32));
if (im->bands == 2) {
for (x = 1; x < im->xsize-1; x++) {
float ss0 = offset;
@@ -234,8 +234,7 @@ ImagingFilter5x5(Imaging imOut, Imaging im, const float* kernel,
UINT8* in2 = (UINT8*) im->image[y+2];
UINT32* out = (UINT32*) imOut->image[y];
- out[0] = ((UINT32*) in0)[0];
- out[1] = ((UINT32*) in0)[1];
+ memcpy(out, in0, sizeof(UINT32) * 2);
if (im->bands == 2) {
for (x = 2; x < im->xsize-2; x++) {
float ss0 = offset;
diff --git a/src/libImaging/Geometry.c b/src/libImaging/Geometry.c
index 1d08728..56a1aa3 100644
--- a/src/libImaging/Geometry.c
+++ b/src/libImaging/Geometry.c
@@ -407,7 +407,7 @@ nearest_filter32(void* out, Imaging im, double xin, double yin)
int y = COORD(yin);
if (x < 0 || x >= im->xsize || y < 0 || y >= im->ysize)
return 0;
- ((INT32*)out)[0] = im->image32[y][x];
+ memcpy(out, &im->image32[y][x], sizeof(INT32));
return 1;
}
diff --git a/src/libImaging/GetBBox.c b/src/libImaging/GetBBox.c
index 3cfa42c..5cfb795 100644
--- a/src/libImaging/GetBBox.c
+++ b/src/libImaging/GetBBox.c
@@ -146,7 +146,7 @@ ImagingGetExtrema(Imaging im, void *extrema)
imax = in[x];
}
}
- ((INT32*) extrema)[0] = imin;
+ memcpy(extrema, &imin, sizeof(imin));
((INT32*) extrema)[1] = imax;
break;
case IMAGING_TYPE_FLOAT32:
@@ -160,7 +160,7 @@ ImagingGetExtrema(Imaging im, void *extrema)
fmax = in[x];
}
}
- ((FLOAT32*) extrema)[0] = fmin;
+ memcpy(extrema, &fmin, sizeof(fmin));
((FLOAT32*) extrema)[1] = fmax;
break;
case IMAGING_TYPE_SPECIAL:
diff --git a/src/libImaging/Histo.c b/src/libImaging/Histo.c
index 0bfc8df..887f09a 100644
--- a/src/libImaging/Histo.c
+++ b/src/libImaging/Histo.c
@@ -124,7 +124,7 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
return ImagingError_ValueError("min/max not given");
if (!im->xsize || !im->ysize)
break;
- imin = ((INT32*) minmax)[0];
+ memcpy(&imin, minmax, sizeof(imin));
imax = ((INT32*) minmax)[1];
if (imin >= imax)
break;
@@ -145,7 +145,7 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
return ImagingError_ValueError("min/max not given");
if (!im->xsize || !im->ysize)
break;
- fmin = ((FLOAT32*) minmax)[0];
+ memcpy(&fmin, minmax, sizeof(fmin));
fmax = ((FLOAT32*) minmax)[1];
if (fmin >= fmax)
break;
diff --git a/src/libImaging/Unpack.c b/src/libImaging/Unpack.c
index e9921d2..cdaba6e 100644
--- a/src/libImaging/Unpack.c
+++ b/src/libImaging/Unpack.c
@@ -1037,7 +1037,7 @@ unpackI12_I16(UINT8* out, const UINT8* in, int pixels){
#ifdef WORDS_BIGENDIAN
out[0] = tmp[1]; out[1] = tmp[0];
#else
- out16[0] = pixel;
+ memcpy(out, &pixel, sizeof(pixel));
#endif
pixel = (((UINT16) (in[1] & 0x0F)) << 8) + in[2];
@@ -1054,7 +1054,7 @@ unpackI12_I16(UINT8* out, const UINT8* in, int pixels){
#ifdef WORDS_BIGENDIAN
out[0] = tmp[1]; out[1] = tmp[0];
#else
- out16[0] = pixel;
+ memcpy(out, &pixel, sizeof(pixel));
#endif
}
}
--
2.27.0