!21 fix CVE-2020-5310 CVE-2020-5312 CVE-2020-5313

From: @tong_1001
Reviewed-by: @small_leek
Signed-off-by: @small_leek

CVE-2020-5310.patch

@@ -0,0 +1,59 @@
+From 4e2def2539ec13e53a82e06c4b3daf00454100c4 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Wed, 1 Jan 2020 16:38:37 +1100
+Subject: [PATCH] Overflow checks for realloc for tiff decoding
+
+https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4
+
+---
+ src/libImaging/TiffDecode.c | 18 +++++++++++-------
+ 1 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c
+index 9830238..1f505ff 100644
+--- a/src/libImaging/TiffDecode.c
++++ b/src/libImaging/TiffDecode.c
+@@ -237,20 +237,26 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int
+     TIFFSetField(tiff, TIFFTAG_JPEGCOLORMODE, JPEGCOLORMODE_RGB);
+ 
+     if (TIFFIsTiled(tiff)) {
+-        uint32 x, y, tile_y;
++        uint32 x, y, tile_y, row_byte_size;
+         uint32 tileWidth, tileLength;
+         UINT8 *new_data;
+ 
+-        state->bytes = TIFFTileSize(tiff);
++        TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tileWidth);
++        TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tileLength);
++
++        // We could use TIFFTileSize, but for YCbCr data it returns subsampled data size
++        row_byte_size = (tileWidth * state->bits + 7) / 8;
+ 
+-        /* overflow check for malloc */
+-        if (state->bytes > INT_MAX - 1) {
++        /* overflow check for realloc */
++        if (INT_MAX / row_byte_size < tileLength) {
+             state->errcode = IMAGING_CODEC_MEMORY;
+             TIFFClose(tiff);
+             return -1;
+         }
+ 
+-        /* realloc to fit whole tile */
++        state->bytes = row_byte_size * tileLength;
++
++        /* malloc check above */
+         new_data = realloc (state->buffer, state->bytes);
+         if (!new_data) {
+             state->errcode = IMAGING_CODEC_MEMORY;
+@@ -262,8 +268,6 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int
+ 
+         TRACE(("TIFFTileSize: %d\n", state->bytes));
+ 
+-        TIFFGetField(tiff, TIFFTAG_TILEWIDTH, &tileWidth);
+-        TIFFGetField(tiff, TIFFTAG_TILELENGTH, &tileLength);
+ 
+         for (y = state->yoff; y < state->ysize; y += tileLength) {
+             for (x = state->xoff; x < state->xsize; x += tileWidth) {
+-- 
+2.27.0
+

CVE-2020-5312.patch

@@ -0,0 +1,28 @@
+From 93b22b846e0269ee9594ff71a72bec02d2bea8fd Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Sat, 21 Dec 2019 18:38:22 +1100
+Subject: [PATCH] Catch PCX P mode buffer overrun
+
+https://github.com/python-pillow/Pillow/commit/93b22b846e0269ee9594ff71a72bec02d2bea8fd
+
+---
+ src/libImaging/PcxDecode.c |  3 +++
+ 1 files changed, 3 insertions(+)
+
+diff --git a/src/libImaging/PcxDecode.c b/src/libImaging/PcxDecode.c
+index bf0eb00..ba76d92 100644
+--- a/src/libImaging/PcxDecode.c
++++ b/src/libImaging/PcxDecode.c
+@@ -25,6 +25,9 @@ ImagingPcxDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+     if ((state->xsize * state->bits + 7) / 8 > state->bytes) {
+         state->errcode = IMAGING_CODEC_OVERRUN;
+         return -1;
++    } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) {
++        state->errcode = IMAGING_CODEC_OVERRUN;
++        return -1;
+     }
+ 
+     ptr = buf;
+-- 
+2.27.0
+

CVE-2020-5313.patch

@@ -0,0 +1,38 @@
+From a09acd0decd8a87ccce939d5ff65dab59e7d365b Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Wed, 1 Jan 2020 14:14:47 +1100
+Subject: [PATCH] Catch FLI buffer overrun
+
+https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b
+---
+ src/libImaging/FliDecode.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
+index 2d63bea..06fa307 100644
+--- a/src/libImaging/FliDecode.c
++++ b/src/libImaging/FliDecode.c
+@@ -45,8 +45,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	return 0;
+ 
+     /* We don't decode anything unless we have a full chunk in the
+-       input buffer (on the other hand, the Python part of the driver
+-       makes sure this is always the case) */
++       input buffer */
+ 
+     ptr = buf;
+ 
+@@ -57,6 +56,10 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+     /* Make sure this is a frame chunk.  The Python driver takes
+        case of other chunk types. */
+ 
++    if (bytes < 8) {
++        state->errcode = IMAGING_CODEC_OVERRUN;
++        return -1;
++    }
+     if (I16(ptr+4) != 0xF1FA) {
+ 	state->errcode = IMAGING_CODEC_UNKNOWN;
+ 	return -1;
+-- 
+2.27.0
+

python-pillow.spec

@@ -5,7 +5,7 @@
 
 Name:               python-pillow
 Version:            5.3.0
-Release:            7
+Release:            8
 Summary:            Python image processing library
 License:            MIT
 URL:                http://python-pillow.github.io/
@@ -23,6 +23,9 @@ Patch0008:          pre-CVE-2020-11538-1.patch
 Patch0011:          CVE-2020-5311.patch
 Patch0012:          CVE-2020-11538.patch
 Patch0013:          CVE-2019-19911.patch
+Patch0014:          CVE-2020-5310.patch
+Patch0015:          CVE-2020-5312.patch
+Patch0016:          CVE-2020-5313.patch
 
 BuildRequires:      freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel
 BuildRequires:      libtiff-devel libwebp-devel openjpeg2-devel tk-devel zlib-devel
@@ -176,6 +179,12 @@ popd
 %doc docs/_build_py3/html
 
 %changelog
+* Thu Nov 26 2020 shixuantong<shixuantong@huawei.com> - 5.3.0-8
+- Type:cves
+- ID:CVE-2020-5310 CVE-2020-5312 CVE-2020-5313
+- SUG:NA
+- DESC:fix CVE-2020-5310 CVE-2020-5312 CVE-2020-5313
+
 * Wed Nov 25 2020 shixuantong<shixuantong@huawei.com> - 5.3.0-7
 - Type:cves
 - ID:CVE-2019-19911 CVE-2020-5311