aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/py3-pillow/APKBUILD11
-rw-r--r--main/py3-pillow/CVE-2020-35655.patch88
2 files changed, 96 insertions, 3 deletions
diff --git a/main/py3-pillow/APKBUILD b/main/py3-pillow/APKBUILD
index 95d096e7e2f..e5874205bcc 100644
--- a/main/py3-pillow/APKBUILD
+++ b/main/py3-pillow/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Fabian Affolter <fabian@affolter-engineering.ch>
pkgname=py3-pillow
pkgver=7.1.2
-pkgrel=0
+pkgrel=1
pkgdesc="Python Imaging Library"
options="!check"
url="https://python-pillow.org/"
@@ -13,13 +13,17 @@ makedepends="python3-dev py3-setuptools freetype-dev
openjpeg-dev libimagequant-dev libwebp-dev tiff-dev libpng-dev lcms2-dev libjpeg-turbo-dev
libwebp-dev libxcb-dev zlib-dev"
checkdepends="py3-pytest py3-numpy"
-source="https://files.pythonhosted.org/packages/source/P/Pillow/Pillow-$pkgver.tar.gz"
+source="https://files.pythonhosted.org/packages/source/P/Pillow/Pillow-$pkgver.tar.gz
+ CVE-2020-35655.patch
+ "
builddir="$srcdir/Pillow-$pkgver"
provides="py-pillow=$pkgver-r$pkgrel" # backwards compatibility
replaces="py-pillow" # backwards compatiblity
# secfixes:
+# 7.1.2-r1:
+# - CVE-2020-35655
# 6.2.2-r0:
# - CVE-2019-19911
# - CVE-2020-5310
@@ -42,4 +46,5 @@ package() {
python3 setup.py install --prefix=/usr --root="$pkgdir"
}
-sha512sums="75d88c5c967d600b84caf9af62eeda6f235fb1357ba7ca47656be6d48018f2df6f2442df2d2ea50d4cc0955f55dce05c2e2676f9b4bca5aa72bfda61e407dd97 Pillow-7.1.2.tar.gz"
+sha512sums="75d88c5c967d600b84caf9af62eeda6f235fb1357ba7ca47656be6d48018f2df6f2442df2d2ea50d4cc0955f55dce05c2e2676f9b4bca5aa72bfda61e407dd97 Pillow-7.1.2.tar.gz
+89984ca666bafc356ba8af50a3f96dc84965b882577f488c10550558a316982c52378bf52ec24b5ed53a4f8b1019e9e5e03bbff6e32c4009ea8ef71093f33f18 CVE-2020-35655.patch"
diff --git a/main/py3-pillow/CVE-2020-35655.patch b/main/py3-pillow/CVE-2020-35655.patch
new file mode 100644
index 00000000000..2a5048af3c9
--- /dev/null
+++ b/main/py3-pillow/CVE-2020-35655.patch
@@ -0,0 +1,88 @@
+upstream: https://github.com/python-pillow/Pillow/commit/120eea2e4547a7d1826afdf01563035844f0b7d5
+
+diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
+index a03ecd4..9a8814b 100644
+--- a/src/libImaging/SgiRleDecode.c
++++ b/src/libImaging/SgiRleDecode.c
+@@ -112,14 +112,33 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ int err = 0;
+ int status;
+
++ /* size check */
++ if (im->xsize > INT_MAX / im->bands ||
++ im->ysize > INT_MAX / im->bands) {
++ state->errcode = IMAGING_CODEC_MEMORY;
++ return -1;
++ }
++
+ /* Get all data from File descriptor */
+ c = (SGISTATE*)state->context;
+ _imaging_seek_pyFd(state->fd, 0L, SEEK_END);
+ c->bufsize = _imaging_tell_pyFd(state->fd);
+ c->bufsize -= SGI_HEADER_SIZE;
++
++ c->tablen = im->bands * im->ysize;
++ /* below, we populate the starttab and lentab into the bufsize,
++ each with 4 bytes per element of tablen
++ Check here before we allocate any memory
++ */
++ if (c->bufsize < 8*c->tablen) {
++ state->errcode = IMAGING_CODEC_OVERRUN;
++ return -1;
++ }
++
+ ptr = malloc(sizeof(UINT8) * c->bufsize);
+ if (!ptr) {
+- return IMAGING_CODEC_MEMORY;
++ state->errcode = IMAGING_CODEC_MEMORY;
++ return -1;
+ }
+ _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);
+ _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);
+@@ -134,18 +153,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ state->ystep = 1;
+ }
+
+- if (im->xsize > INT_MAX / im->bands ||
+- im->ysize > INT_MAX / im->bands) {
+- err = IMAGING_CODEC_MEMORY;
+- goto sgi_finish_decode;
+- }
+-
+ /* Allocate memory for RLE tables and rows */
+ free(state->buffer);
+ state->buffer = NULL;
+ /* malloc overflow check above */
+ state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2);
+- c->tablen = im->bands * im->ysize;
+ c->starttab = calloc(c->tablen, sizeof(UINT32));
+ c->lengthtab = calloc(c->tablen, sizeof(UINT32));
+ if (!state->buffer ||
+@@ -176,7 +188,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+
+ if (c->rleoffset + c->rlelength > c->bufsize) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+- return -1;
++ goto sgi_finish_decode;
+ }
+
+ /* row decompression */
+@@ -188,7 +200,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,
+ }
+ if (status == -1) {
+ state->errcode = IMAGING_CODEC_OVERRUN;
+- return -1;
++ goto sgi_finish_decode;
+ } else if (status == 1) {
+ goto sgi_finish_decode;
+ }
+@@ -209,7 +221,8 @@ sgi_finish_decode: ;
+ free(c->lengthtab);
+ free(ptr);
+ if (err != 0){
+- return err;
++ state->errcode=err;
++ return -1;
+ }
+ return state->count - c->bufsize;
+ }