diff options
-rw-r--r-- | main/py3-pillow/APKBUILD | 11 | ||||
-rw-r--r-- | main/py3-pillow/CVE-2020-35655.patch | 88 |
2 files changed, 96 insertions, 3 deletions
diff --git a/main/py3-pillow/APKBUILD b/main/py3-pillow/APKBUILD index 95d096e7e2f..e5874205bcc 100644 --- a/main/py3-pillow/APKBUILD +++ b/main/py3-pillow/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Fabian Affolter <fabian@affolter-engineering.ch> pkgname=py3-pillow pkgver=7.1.2 -pkgrel=0 +pkgrel=1 pkgdesc="Python Imaging Library" options="!check" url="https://python-pillow.org/" @@ -13,13 +13,17 @@ makedepends="python3-dev py3-setuptools freetype-dev openjpeg-dev libimagequant-dev libwebp-dev tiff-dev libpng-dev lcms2-dev libjpeg-turbo-dev libwebp-dev libxcb-dev zlib-dev" checkdepends="py3-pytest py3-numpy" -source="https://files.pythonhosted.org/packages/source/P/Pillow/Pillow-$pkgver.tar.gz" +source="https://files.pythonhosted.org/packages/source/P/Pillow/Pillow-$pkgver.tar.gz + CVE-2020-35655.patch + " builddir="$srcdir/Pillow-$pkgver" provides="py-pillow=$pkgver-r$pkgrel" # backwards compatibility replaces="py-pillow" # backwards compatiblity # secfixes: +# 7.1.2-r1: +# - CVE-2020-35655 # 6.2.2-r0: # - CVE-2019-19911 # - CVE-2020-5310 @@ -42,4 +46,5 @@ package() { python3 setup.py install --prefix=/usr --root="$pkgdir" } -sha512sums="75d88c5c967d600b84caf9af62eeda6f235fb1357ba7ca47656be6d48018f2df6f2442df2d2ea50d4cc0955f55dce05c2e2676f9b4bca5aa72bfda61e407dd97 Pillow-7.1.2.tar.gz" +sha512sums="75d88c5c967d600b84caf9af62eeda6f235fb1357ba7ca47656be6d48018f2df6f2442df2d2ea50d4cc0955f55dce05c2e2676f9b4bca5aa72bfda61e407dd97 Pillow-7.1.2.tar.gz +89984ca666bafc356ba8af50a3f96dc84965b882577f488c10550558a316982c52378bf52ec24b5ed53a4f8b1019e9e5e03bbff6e32c4009ea8ef71093f33f18 CVE-2020-35655.patch" diff --git a/main/py3-pillow/CVE-2020-35655.patch b/main/py3-pillow/CVE-2020-35655.patch new file mode 100644 index 00000000000..2a5048af3c9 --- /dev/null +++ b/main/py3-pillow/CVE-2020-35655.patch @@ -0,0 +1,88 @@ +upstream: https://github.com/python-pillow/Pillow/commit/120eea2e4547a7d1826afdf01563035844f0b7d5 + +diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c +index a03ecd4..9a8814b 100644 +--- a/src/libImaging/SgiRleDecode.c ++++ b/src/libImaging/SgiRleDecode.c +@@ -112,14 +112,33 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + int err = 0; + int status; + ++ /* size check */ ++ if (im->xsize > INT_MAX / im->bands || ++ im->ysize > INT_MAX / im->bands) { ++ state->errcode = IMAGING_CODEC_MEMORY; ++ return -1; ++ } ++ + /* Get all data from File descriptor */ + c = (SGISTATE*)state->context; + _imaging_seek_pyFd(state->fd, 0L, SEEK_END); + c->bufsize = _imaging_tell_pyFd(state->fd); + c->bufsize -= SGI_HEADER_SIZE; ++ ++ c->tablen = im->bands * im->ysize; ++ /* below, we populate the starttab and lentab into the bufsize, ++ each with 4 bytes per element of tablen ++ Check here before we allocate any memory ++ */ ++ if (c->bufsize < 8*c->tablen) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } ++ + ptr = malloc(sizeof(UINT8) * c->bufsize); + if (!ptr) { +- return IMAGING_CODEC_MEMORY; ++ state->errcode = IMAGING_CODEC_MEMORY; ++ return -1; + } + _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET); + _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize); +@@ -134,18 +153,11 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + state->ystep = 1; + } + +- if (im->xsize > INT_MAX / im->bands || +- im->ysize > INT_MAX / im->bands) { +- err = IMAGING_CODEC_MEMORY; +- goto sgi_finish_decode; +- } +- + /* Allocate memory for RLE tables and rows */ + free(state->buffer); + state->buffer = NULL; + /* malloc overflow check above */ + state->buffer = calloc(im->xsize * im->bands, sizeof(UINT8) * 2); +- c->tablen = im->bands * im->ysize; + c->starttab = calloc(c->tablen, sizeof(UINT32)); + c->lengthtab = calloc(c->tablen, sizeof(UINT32)); + if (!state->buffer || +@@ -176,7 +188,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + + if (c->rleoffset + c->rlelength > c->bufsize) { + state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; ++ goto sgi_finish_decode; + } + + /* row decompression */ +@@ -188,7 +200,7 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state, + } + if (status == -1) { + state->errcode = IMAGING_CODEC_OVERRUN; +- return -1; ++ goto sgi_finish_decode; + } else if (status == 1) { + goto sgi_finish_decode; + } +@@ -209,7 +221,8 @@ sgi_finish_decode: ; + free(c->lengthtab); + free(ptr); + if (err != 0){ +- return err; ++ state->errcode=err; ++ return -1; + } + return state->count - c->bufsize; + } |