packages/python-pillow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-11538 CVE-2020-10378 CVE-2020-10177 CVE-2020-10994

Browse Source
This commit is contained in:
sxt1001 2020-11-25 16:29:55 +08:00
parent e1dc463a46
commit 44c0d67d82
8 changed files with 2283 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

145
CVE-2020-10177.patch Normal file
View File

@ -0,0 +1,145 @@
diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
index 600528e..2d63bea 100644
--- a/src/libImaging/FliDecode.c
+++ b/src/libImaging/FliDecode.c
@@ -24,6 +24,11 @@
#define I32(ptr)\
((ptr)[0] + ((ptr)[1] << 8) + ((ptr)[2] << 16) + ((ptr)[3] << 24))
+#define ERR_IF_DATA_OOB(offset) \
+ if ((data + (offset)) > ptr + bytes) {\
+ state->errcode = IMAGING_CODEC_OVERRUN; \
+ return -1; \
+ }
int
ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
@@ -75,10 +80,12 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
break; /* ignored; handled by Python code */
case 7:
/* FLI SS2 chunk (word delta) */
+ /* OOB ok, we've got 4 bytes min on entry */
lines = I16(data); data += 2;
for (l = y = 0; l < lines && y < state->ysize; l++, y++) {
- UINT8* buf = (UINT8*) im->image[y];
+ UINT8* local_buf = (UINT8*) im->image[y];
int p, packets;
+ ERR_IF_DATA_OOB(2)
packets = I16(data); data += 2;
while (packets & 0x8000) {
/* flag word */
@@ -88,29 +95,33 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
}
- buf = (UINT8*) im->image[y];
+ local_buf = (UINT8*) im->image[y];
} else {
/* store last byte (used if line width is odd) */
- buf[state->xsize-1] = (UINT8) packets;
+ local_buf[state->xsize-1] = (UINT8) packets;
}
+ ERR_IF_DATA_OOB(2)
packets = I16(data); data += 2;
}
for (p = x = 0; p < packets; p++) {
+ ERR_IF_DATA_OOB(2)
x += data[0]; /* pixel skip */
if (data[1] >= 128) {
+ ERR_IF_DATA_OOB(4)
i = 256-data[1]; /* run */
if (x + i + i > state->xsize)
break;
for (j = 0; j < i; j++) {
- buf[x++] = data[2];
- buf[x++] = data[3];
+ local_buf[x++] = data[2];
+ local_buf[x++] = data[3];
}
data += 2 + 2;
} else {
i = 2 * (int) data[1]; /* chunk */
if (x + i > state->xsize)
break;
- memcpy(buf + x, data + 2, i);
+ ERR_IF_DATA_OOB(2+i)
+ memcpy(local_buf + x, data + 2, i);
data += 2 + i;
x += i;
}
@@ -126,22 +137,26 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
break;
case 12:
/* FLI LC chunk (byte delta) */
+ /* OOB Check ok, we have 10 bytes here */
y = I16(data); ymax = y + I16(data+2); data += 4;
for (; y < ymax && y < state->ysize; y++) {
UINT8* out = (UINT8*) im->image[y];
int p, packets = *data++;
for (p = x = 0; p < packets; p++, x += i) {
+ ERR_IF_DATA_OOB(2)
x += data[0]; /* skip pixels */
if (data[1] & 0x80) {
i = 256-data[1]; /* run */
if (x + i > state->xsize)
break;
+ ERR_IF_DATA_OOB(3)
memset(out + x, data[2], i);
data += 3;
} else {
i = data[1]; /* chunk */
if (x + i > state->xsize)
break;
+ ERR_IF_DATA_OOB(2+i)
memcpy(out + x, data + 2, i);
data += i + 2;
}
@@ -162,14 +177,20 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
break;
case 15:
/* FLI BRUN chunk */
+ /* data = ptr + 6 */
for (y = 0; y < state->ysize; y++) {
UINT8* out = (UINT8*) im->image[y];
data += 1; /* ignore packetcount byte */
for (x = 0; x < state->xsize; x += i) {
+ /* Out of Bounds Read issue, guaranteed to try to read 2 from data */
+ ERR_IF_DATA_OOB(2)
if (data[0] & 0x80) {
i = 256 - data[0];
- if (x + i > state->xsize)
+ if (x + i > state->xsize){
break; /* safety first */
+ }
+ /* Out of Bounds read issue */
+ ERR_IF_DATA_OOB(i+1)
memcpy(out + x, data + 1, i);
data += i + 1;
} else {
@@ -189,9 +210,13 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
break;
case 16:
/* COPY chunk */
+ if (state->xsize > bytes/state->ysize) {
+ /* not enough data for frame */
+ return ptr - buf; /* bytes consumed */
+ }
for (y = 0; y < state->ysize; y++) {
- UINT8* buf = (UINT8*) im->image[y];
- memcpy(buf, data, state->xsize);
+ UINT8* local_buf = (UINT8*) im->image[y];
+ memcpy(local_buf, data, state->xsize);
data += state->xsize;
}
break;
@@ -205,6 +230,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
return -1;
}
advance = I32(ptr);
+ if (advance < 0 || advance > bytes) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ }
ptr += advance;
bytes -= advance;
}

22
CVE-2020-10378.patch Normal file
View File

@ -0,0 +1,22 @@
From 6a83e4324738bb0452fbe8074a995b1c73f08de7 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Mon, 9 Mar 2020 20:22:06 +0000
Subject: [PATCH] Fix OOB Access on PcxDecode.c
---
src/libImaging/PcxDecode.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
index 51de069..bf0eb00 100644
--- a/src/libImaging/PcxDecode.c
+++ b/src/libImaging/PcxDecode.c
@@ -22,7 +22,7 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
UINT8 n;
UINT8* ptr;
- if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) {
+ if ((state->xsize * state->bits + 7) / 8 > state->bytes) {
state->errcode = IMAGING_CODEC_OVERRUN;
return -1;
}

109
CVE-2020-10994.patch Normal file
View File

@ -0,0 +1,109 @@
From cf6da6b79080a8c16984102fdc85f7ce28dca613 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Mon, 9 Mar 2020 22:09:49 +0000
Subject: [PATCH 1/4] Fix for OOB Read in DecodeJpeg2k
---
src/libImaging/Jpeg2KDecode.c | 60 +++++++++++++++++++++++++----------
1 file changed, 43 insertions(+), 17 deletions(-)
diff --git a/src/libImaging/Jpeg2KDecode.c b/src/libImaging/Jpeg2KDecode.c
index 9140e00..8c231c1 100644
--- a/src/libImaging/Jpeg2KDecode.c
+++ b/src/libImaging/Jpeg2KDecode.c
@@ -110,6 +110,7 @@ j2ku_gray_l(opj_image_t *in, const JPEG2KTILEINFO *tileinfo,
if (shift < 0)
offset += 1 << (-shift - 1);
+ /* csiz*h*w + offset = tileinfo.datasize */
switch (csiz) {
case 1:
for (y = 0; y < h; ++y) {
@@ -557,8 +558,10 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
opj_dparameters_t params;
OPJ_COLOR_SPACE color_space;
j2k_unpacker_t unpack = NULL;
- size_t buffer_size = 0;
- unsigned n;
+ size_t buffer_size = 0, tile_bytes = 0;
+ unsigned n, tile_height, tile_width;
+ int components;
+
stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);
@@ -703,8 +706,44 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
tile_info.x1 = (tile_info.x1 + correction) >> context->reduce;
tile_info.y1 = (tile_info.y1 + correction) >> context->reduce;
+ /* Check the tile bounds; if the tile is outside the image area,
+ or if it has a negative width or height (i.e. the coordinates are
+ swapped), bail. */
+ if (tile_info.x0 >= tile_info.x1
+ || tile_info.y0 >= tile_info.y1
+ || tile_info.x0 < image->x0
+ || tile_info.y0 < image->y0
+ || tile_info.x1 - image->x0 > im->xsize
+ || tile_info.y1 - image->y0 > im->ysize) {
+ state->errcode = IMAGING_CODEC_BROKEN;
+ state->state = J2K_STATE_FAILED;
+ goto quick_exit;
+ }
+
+ /* Sometimes the tile_info.datasize we get back from openjpeg
+ is less than numcomps*w*h, and we overflow in the
+ shuffle stage */
+
+ tile_width = tile_info.x1 - tile_info.x0;
+ tile_height = tile_info.y1 - tile_info.y0;
+ components = tile_info.nb_comps == 3 ? 4 : tile_info.nb_comps;
+ if (( tile_width > UINT_MAX / components ) ||
+ ( tile_height > UINT_MAX / components ) ||
+ ( tile_width > UINT_MAX / (tile_height * components )) ||
+ ( tile_height > UINT_MAX / (tile_width * components ))) {
+ state->errcode = IMAGING_CODEC_BROKEN;
+ state->state = J2K_STATE_FAILED;
+ goto quick_exit;
+ }
+
+ tile_bytes = tile_width * tile_height * components;
+
+ if (tile_bytes > tile_info.data_size) {
+ tile_info.data_size = tile_bytes;
+ }
+
if (buffer_size < tile_info.data_size) {
- /* malloc check ok, tile_info.data_size from openjpeg */
+ /* malloc check ok, overflow and tile size sanity check above */
UINT8 *new = realloc (state->buffer, tile_info.data_size);
if (!new) {
state->errcode = IMAGING_CODEC_MEMORY;
@@ -715,6 +754,7 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
buffer_size = tile_info.data_size;
}
+
if (!opj_decode_tile_data(codec,
tile_info.tile_index,
(OPJ_BYTE *)state->buffer,
@@ -725,20 +765,6 @@ j2k_decode_entry(Imaging im, ImagingCodecState state)
goto quick_exit;
}
- /* Check the tile bounds; if the tile is outside the image area,
- or if it has a negative width or height (i.e. the coordinates are
- swapped), bail. */
- if (tile_info.x0 >= tile_info.x1
- || tile_info.y0 >= tile_info.y1
- || tile_info.x0 < image->x0
- || tile_info.y0 < image->y0
- || tile_info.x1 - image->x0 > im->xsize
- || tile_info.y1 - image->y0 > im->ysize) {
- state->errcode = IMAGING_CODEC_BROKEN;
- state->state = J2K_STATE_FAILED;
- goto quick_exit;
- }
-
unpack(image, &tile_info, state->buffer, im);
}

55
CVE-2020-11538.patch Normal file
View File

@ -0,0 +1,55 @@
From 394d6a180a4b63a149a223b13e98a3209f837147 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Sat, 28 Mar 2020 13:00:46 +0000
Subject: [PATCH 1/4] Track number of pixels, not the number of runs
---
src/libImaging/SgiRleDecode.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index e9b2c0b..087b7b4 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf)
static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
{
UINT8 pixel, count;
+ int x = 0;
for (;n > 0; n--)
{
@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
- if (count > xsize){
+ if (x + count > xsize){
return -1;
}
+ x += count;
if (pixel & RLE_COPY_FLAG) {
while(count--) {
*dest = *src++;
@@ -62,7 +64,8 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
{
UINT8 pixel, count;
-
+
+ int x = 0;
for (;n > 0; n--)
{
@@ -73,9 +76,10 @@ static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
- if (count > xsize){
+ if (x + count > xsize){
return -1;
}
+ x += count;
if (pixel & RLE_COPY_FLAG) {
while(count--) {
memcpy(dest, src, 2);

1599
pre-CVE-2020-11538-1.patch Normal file
View File

File diff suppressed because it is too large Load Diff

82
pre-CVE-2020-11538-2.patch Normal file
View File

@ -0,0 +1,82 @@
From be44f0d9923485f3ed3a7a9fd479cf8cf69d814a Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Wed, 1 Jan 2020 14:16:45 +1100
Subject: [PATCH] Catch SGI buffer overruns
---
Tests/test_image.py | 2 ++
src/libImaging/SgiRleDecode.c | 23 +++++++++++++++++------
4 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
index 70b0ec5..e9b2c0b 100644
--- a/src/libImaging/SgiRleDecode.c
+++ b/src/libImaging/SgiRleDecode.c
@@ -25,7 +25,7 @@ static void read4B(UINT32* dest, UINT8* buf)
*dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
}
-static int expandrow(UINT8* dest, UINT8* src, int n, int z)
+static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
{
UINT8 pixel, count;
@@ -37,6 +37,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
+ if (count > xsize){
+ return -1;
+ }
if (pixel & RLE_COPY_FLAG) {
while(count--) {
*dest = *src++;
@@ -56,7 +59,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z)
return 0;
}
-static int expandrow2(UINT8* dest, const UINT8* src, int n, int z)
+static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize)
{
UINT8 pixel, count;
@@ -70,6 +73,9 @@ static int expandrow2(UINT8* dest, const UINT8* src, int n, int z)
count = pixel & RLE_MAX_RUN;
if (!count)
return count;
+ if (count > xsize){
+ return -1;
+ }
if (pixel & RLE_COPY_FLAG) {
while(count--) {
memcpy(dest, src, 2);
@@ -96,6 +102,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
UINT8 *ptr;
SGISTATE *c;
int err = 0;
+ int status;
/* Get all data from File descriptor */
c = (SGISTATE*)state->context;
@@ -164,13 +171,17 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
/* row decompression */
if (c->bpc ==1) {
- if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands))
- goto sgi_finish_decode;
+ status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
}
else {
- if(expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands))
- goto sgi_finish_decode;
+ status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);
}
+ if (status == -1) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+ return -1;
+ } else if (status == 1) {
+ goto sgi_finish_decode;
+ }
state->count += c->rlelength;
}

15
python-pillow.spec
View File

@ -5,7 +5,7 @@
Name: python-pillow
Version: 5.3.0
Release: 5
Release: 6
Summary: Python image processing library
License: MIT
URL: http://python-pillow.github.io/
@ -15,6 +15,13 @@ Patch0000: 0000-CVE-2019-16865-1.patch
Patch0001: 0001-CVE-2019-16865-2.patch
Patch0002: 0002-CVE-2019-16865-3.patch
Patch0003: 0003-CVE-2019-16865-4.patch
Patch0004: CVE-2020-10378.patch
Patch0005: CVE-2020-10177.patch
Patch0006: CVE-2020-10994.patch
Patch0007: replace_copy_operations_with_memcpy.patch
Patch0008: pre-CVE-2020-11538-1.patch
Patch0009: pre-CVE-2020-11538-2.patch
Patch0010: CVE-2020-11538.patch
BuildRequires: freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel
BuildRequires: libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel
@ -168,6 +175,12 @@ popd
%doc docs/_build_py3/html
%changelog
* Wed Nov 25 2020 shixuantong<shixuantong@huawei.com> - 5.3.0-6
- Type:cves
- ID:CVE-2020-11538 CVE-2020-10378 CVE-2020-10177 CVE-2020-10994
- SUG:NA
- DESC:fix CVE-2020-11538 CVE-2020-10378 CVE-2020-10177 CVE-2020-10994
* Fri Aug 21 2020 shixuantong <shixuantong@huawei.com> - 5.3.0-5
- add release version for rebuild

257
replace_copy_operations_with_memcpy.patch Normal file
View File

@ -0,0 +1,257 @@
From 220bfee19a98a0d5b3fe5a52b51df16dd459c397 Mon Sep 17 00:00:00 2001
From: Rolf Eike Beer <eike@sf-mail.de>
Date: Fri, 29 Jun 2018 22:33:08 +0200
Subject: [PATCH] replace copy operations with memcpy()
https://github.com/python-pillow/Pillow/commit/220bfee19a98a0d5b3fe5a52b51df16dd459c397
This replaces trivial instances where a copy from one pointer to the other
involves no further calculations or casts. The compiler will optimize this to
whatever the platform offers.
---
src/libImaging/Access.c | 35 +++++++++++++----------------------
src/libImaging/Draw.c | 3 +--
src/libImaging/Filter.c | 5 ++---
src/libImaging/Geometry.c | 2 +-
src/libImaging/GetBBox.c | 4 ++--
src/libImaging/Histo.c | 4 ++--
src/libImaging/Unpack.c | 4 ++--
7 files changed, 23 insertions(+), 34 deletions(-)
diff --git a/src/libImaging/Access.c b/src/libImaging/Access.c
index 292968f..8d27a0a 100644
--- a/src/libImaging/Access.c
+++ b/src/libImaging/Access.c
@@ -94,11 +94,11 @@ static void
get_pixel_16L(Imaging im, int x, int y, void* color)
{
UINT8* in = (UINT8*) &im->image[y][x+x];
- UINT16* out = color;
#ifdef WORDS_BIGENDIAN
+ UINT16* out = color;
out[0] = in[0] + (in[1]<<8);
#else
- out[0] = *(UINT16*) in;
+ memcpy(color, in, sizeof(UINT16));
#endif
}
@@ -106,10 +106,10 @@ static void
get_pixel_16B(Imaging im, int x, int y, void* color)
{
UINT8* in = (UINT8*) &im->image[y][x+x];
- UINT16* out = color;
#ifdef WORDS_BIGENDIAN
- out[0] = *(UINT16*) in;
+ memcpy(color, in, sizeof(UINT16));
#else
+ UINT16* out = color;
out[0] = in[1] + (in[0]<<8);
#endif
}
@@ -117,19 +117,18 @@ get_pixel_16B(Imaging im, int x, int y, void* color)
static void
get_pixel_32(Imaging im, int x, int y, void* color)
{
- INT32* out = color;
- out[0] = im->image32[y][x];
+ memcpy(color, &im->image32[y][x], sizeof(INT32));
}
static void
get_pixel_32L(Imaging im, int x, int y, void* color)
{
UINT8* in = (UINT8*) &im->image[y][x*4];
- INT32* out = color;
#ifdef WORDS_BIGENDIAN
+ INT32* out = color;
out[0] = in[0] + (in[1]<<8) + (in[2]<<16) + (in[3]<<24);
#else
- out[0] = *(INT32*) in;
+ memcpy(color, in, sizeof(INT32));
#endif
}
@@ -137,10 +136,10 @@ static void
get_pixel_32B(Imaging im, int x, int y, void* color)
{
UINT8* in = (UINT8*) &im->image[y][x*4];
- INT32* out = color;
#ifdef WORDS_BIGENDIAN
- out[0] = *(INT32*) in;
+ memcpy(color, in, sizeof(INT32));
#else
+ INT32* out = color;
out[0] = in[3] + (in[2]<<8) + (in[1]<<16) + (in[0]<<24);
#endif
}
@@ -153,7 +152,7 @@ put_pixel(Imaging im, int x, int y, const void* color)
if (im->image8)
im->image8[y][x] = *((UINT8*) color);
else
- im->image32[y][x] = *((INT32*) color);
+ memcpy(&im->image32[y][x], color, sizeof(INT32));
}
static void
@@ -165,10 +164,7 @@ put_pixel_8(Imaging im, int x, int y, const void* color)
static void
put_pixel_16L(Imaging im, int x, int y, const void* color)
{
- const char* in = color;
- UINT8* out = (UINT8*) &im->image8[y][x+x];
- out[0] = in[0];
- out[1] = in[1];
+ memcpy(&im->image8[y][x+x], color, 2);
}
static void
@@ -183,12 +179,7 @@ put_pixel_16B(Imaging im, int x, int y, const void* color)
static void
put_pixel_32L(Imaging im, int x, int y, const void* color)
{
- const char* in = color;
- UINT8* out = (UINT8*) &im->image8[y][x*4];
- out[0] = in[0];
- out[1] = in[1];
- out[2] = in[2];
- out[3] = in[3];
+ memcpy(&im->image8[y][x*4], color, 4);
}
static void
@@ -205,7 +196,7 @@ put_pixel_32B(Imaging im, int x, int y, const void* color)
static void
put_pixel_32(Imaging im, int x, int y, const void* color)
{
- im->image32[y][x] = *((INT32*) color);
+ memcpy(&im->image32[y][x], color, sizeof(INT32));
}
void
diff --git a/src/libImaging/Draw.c b/src/libImaging/Draw.c
index d0f374f..3b1ae0c 100644
--- a/src/libImaging/Draw.c
+++ b/src/libImaging/Draw.c
@@ -40,7 +40,6 @@
#define FLOOR(v) ((v) >= 0.0 ? (int) (v) : (int) floor(v))
#define INK8(ink) (*(UINT8*)ink)
-#define INK32(ink) (*(INT32*)ink)
/*
* Rounds around zero (up=away from zero, down=torwards zero)
@@ -555,7 +554,7 @@ DRAW draw32rgba = { point32rgba, hline32rgba, line32rgba, polygon32rgba };
ink = INK8(ink_);\
} else {\
draw = (op) ? &draw32rgba : &draw32; \
- ink = INK32(ink_);\
+ memcpy(&ink, ink_, sizeof(ink)); \
}
int
diff --git a/src/libImaging/Filter.c b/src/libImaging/Filter.c
index 6e4a005..64010ee 100644
--- a/src/libImaging/Filter.c
+++ b/src/libImaging/Filter.c
@@ -124,7 +124,7 @@ ImagingFilter3x3(Imaging imOut, Imaging im, const float* kernel,
UINT8* in1 = (UINT8*) im->image[y+1];
UINT32* out = (UINT32*) imOut->image[y];
- out[0] = ((UINT32*) in0)[0];
+ memcpy(out, in0, sizeof(UINT32));
if (im->bands == 2) {
for (x = 1; x < im->xsize-1; x++) {
float ss0 = offset;
@@ -234,8 +234,7 @@ ImagingFilter5x5(Imaging imOut, Imaging im, const float* kernel,
UINT8* in2 = (UINT8*) im->image[y+2];
UINT32* out = (UINT32*) imOut->image[y];
- out[0] = ((UINT32*) in0)[0];
- out[1] = ((UINT32*) in0)[1];
+ memcpy(out, in0, sizeof(UINT32) * 2);
if (im->bands == 2) {
for (x = 2; x < im->xsize-2; x++) {
float ss0 = offset;
diff --git a/src/libImaging/Geometry.c b/src/libImaging/Geometry.c
index 1d08728..56a1aa3 100644
--- a/src/libImaging/Geometry.c
+++ b/src/libImaging/Geometry.c
@@ -407,7 +407,7 @@ nearest_filter32(void* out, Imaging im, double xin, double yin)
int y = COORD(yin);
if (x < 0 || x >= im->xsize || y < 0 || y >= im->ysize)
return 0;
- ((INT32*)out)[0] = im->image32[y][x];
+ memcpy(out, &im->image32[y][x], sizeof(INT32));
return 1;
}
diff --git a/src/libImaging/GetBBox.c b/src/libImaging/GetBBox.c
index 3cfa42c..5cfb795 100644
--- a/src/libImaging/GetBBox.c
+++ b/src/libImaging/GetBBox.c
@@ -146,7 +146,7 @@ ImagingGetExtrema(Imaging im, void *extrema)
imax = in[x];
}
}
- ((INT32*) extrema)[0] = imin;
+ memcpy(extrema, &imin, sizeof(imin));
((INT32*) extrema)[1] = imax;
break;
case IMAGING_TYPE_FLOAT32:
@@ -160,7 +160,7 @@ ImagingGetExtrema(Imaging im, void *extrema)
fmax = in[x];
}
}
- ((FLOAT32*) extrema)[0] = fmin;
+ memcpy(extrema, &fmin, sizeof(fmin));
((FLOAT32*) extrema)[1] = fmax;
break;
case IMAGING_TYPE_SPECIAL:
diff --git a/src/libImaging/Histo.c b/src/libImaging/Histo.c
index 0bfc8df..887f09a 100644
--- a/src/libImaging/Histo.c
+++ b/src/libImaging/Histo.c
@@ -124,7 +124,7 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
return ImagingError_ValueError("min/max not given");
if (!im->xsize || !im->ysize)
break;
- imin = ((INT32*) minmax)[0];
+ memcpy(&imin, minmax, sizeof(imin));
imax = ((INT32*) minmax)[1];
if (imin >= imax)
break;
@@ -145,7 +145,7 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
return ImagingError_ValueError("min/max not given");
if (!im->xsize || !im->ysize)
break;
- fmin = ((FLOAT32*) minmax)[0];
+ memcpy(&fmin, minmax, sizeof(fmin));
fmax = ((FLOAT32*) minmax)[1];
if (fmin >= fmax)
break;
diff --git a/src/libImaging/Unpack.c b/src/libImaging/Unpack.c
index e9921d2..cdaba6e 100644
--- a/src/libImaging/Unpack.c
+++ b/src/libImaging/Unpack.c
@@ -1037,7 +1037,7 @@ unpackI12_I16(UINT8* out, const UINT8* in, int pixels){
#ifdef WORDS_BIGENDIAN
out[0] = tmp[1]; out[1] = tmp[0];
#else
- out16[0] = pixel;
+ memcpy(out, &pixel, sizeof(pixel));
#endif
pixel = (((UINT16) (in[1] & 0x0F)) << 8) + in[2];
@@ -1054,7 +1054,7 @@ unpackI12_I16(UINT8* out, const UINT8* in, int pixels){
#ifdef WORDS_BIGENDIAN
out[0] = tmp[1]; out[1] = tmp[0];
#else
- out16[0] = pixel;
+ memcpy(out, &pixel, sizeof(pixel));
#endif
}
}
--
2.27.0