FreeBSD Bugzilla – Attachment 166794 Details for
Bug 207053
graphics/py-pillow: Backport security fixes from 3.1.1.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch
py-pillow-3.1.1-security-backports.diff (text/plain), 6.61 KB, created by
Raphael Kubo da Costa
on 2016-02-09 10:44:18 UTC
(
hide
)
Description:
Proposed patch
Filename:
MIME Type:
Creator:
Raphael Kubo da Costa
Created:
2016-02-09 10:44:18 UTC
Size:
6.61 KB
patch
obsolete
>Index: Makefile >=================================================================== >--- Makefile (revision 408543) >+++ Makefile (working copy) >@@ -3,6 +3,7 @@ > > PORTNAME= pillow > PORTVERSION= 2.9.0 >+PORTREVISION= 1 > CATEGORIES= graphics python > PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} > >Index: files/patch-CVE-2016-0740 >=================================================================== >--- files/patch-CVE-2016-0740 (nonexistent) >+++ files/patch-CVE-2016-0740 (working copy) >@@ -0,0 +1,24 @@ >+From 6dcbf5bd96b717c58d7b642949da8d323099928e Mon Sep 17 00:00:00 2001 >+From: Eric Soroos <eric-github@soroos.net> >+Date: Thu, 14 Jan 2016 04:59:19 -0800 >+Subject: [PATCH] Fix for buffer overflow in TiffDecode.c CVE-2016-0740 >+ >+--- >+ Tests/check_libtiff_segfault.py | 23 +++++++++++++++++++++++ >+ Tests/images/libtiff_segfault.tif | Bin 0 -> 262 bytes >+ libImaging/TiffDecode.c | 2 +- >+ 3 files changed, 24 insertions(+), 1 deletion(-) >+ create mode 100644 Tests/check_libtiff_segfault.py >+ create mode 100644 Tests/images/libtiff_segfault.tif >+ >+--- libImaging/TiffDecode.c >++++ libImaging/TiffDecode.c >+@@ -169,7 +169,7 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int >+ char *filename = "tempfile.tif"; >+ char *mode = "r"; >+ TIFF *tiff; >+- int size; >++ tsize_t size; >+ >+ >+ /* buffer is the encoded file, bytes is the length of the encoded file */ > >Property changes on: files/patch-CVE-2016-0740 >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: files/patch-CVE-2016-0775 >=================================================================== >--- files/patch-CVE-2016-0775 (nonexistent) >+++ files/patch-CVE-2016-0775 (working copy) >@@ -0,0 +1,24 @@ >+From bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec Mon Sep 17 00:00:00 2001 >+From: wiredfool <eric-github@soroos.net> >+Date: Wed, 20 Jan 2016 22:37:28 +0000 >+Subject: [PATCH] FLI overflow error fix and testcase CVE-2016-0775 >+ >+--- >+ Tests/check_fli_overflow.py | 16 ++++++++++++++++ >+ Tests/images/fli_overflow.fli | Bin 0 -> 4645 bytes >+ libImaging/FliDecode.c | 2 +- >+ 3 files changed, 17 insertions(+), 1 deletion(-) >+ create mode 100644 Tests/check_fli_overflow.py >+ create mode 100644 Tests/images/fli_overflow.fli >+ >+--- libImaging/FliDecode.c >++++ libImaging/FliDecode.c >+@@ -185,7 +185,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) >+ /* COPY chunk */ >+ for (y = 0; y < state->ysize; y++) { >+ UINT8* buf = (UINT8*) im->image[y]; >+- memcpy(buf+x, data, state->xsize); >++ memcpy(buf, data, state->xsize); >+ data += state->xsize; >+ } >+ break; > >Property changes on: files/patch-CVE-2016-0775 >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: files/patch-libImaging-PcdDecode.c >=================================================================== >--- files/patch-libImaging-PcdDecode.c (nonexistent) >+++ files/patch-libImaging-PcdDecode.c (working copy) >@@ -0,0 +1,33 @@ >+From ae453aa18b66af54e7ff716f4ccb33adca60afd4 Mon Sep 17 00:00:00 2001 >+From: wiredfool <eric-github@soroos.net> >+Date: Tue, 2 Feb 2016 05:46:26 -0800 >+Subject: [PATCH] PCD decoder overruns the shuffle buffer, Fixes #568 >+ >+--- >+ Tests/images/hopper.pcd | Bin 0 -> 788480 bytes >+ Tests/test_file_pcd.py | 18 ++++++++++++++++++ >+ libImaging/PcdDecode.c | 4 ++-- >+ 3 files changed, 20 insertions(+), 2 deletions(-) >+ create mode 100644 Tests/images/hopper.pcd >+ create mode 100644 Tests/test_file_pcd.py >+ >+--- libImaging/PcdDecode.c >++++ libImaging/PcdDecode.c >+@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) >+ out[0] = ptr[x]; >+ out[1] = ptr[(x+4*state->xsize)/2]; >+ out[2] = ptr[(x+5*state->xsize)/2]; >+- out += 4; >++ out += 3; >+ } >+ >+ state->shuffle((UINT8*) im->image[state->y], >+@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) >+ out[0] = ptr[x+state->xsize]; >+ out[1] = ptr[(x+4*state->xsize)/2]; >+ out[2] = ptr[(x+5*state->xsize)/2]; >+- out += 4; >++ out += 3; >+ } >+ >+ state->shuffle((UINT8*) im->image[state->y], > >Property changes on: files/patch-libImaging-PcdDecode.c >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: files/patch-libImaging-Resample.c >=================================================================== >--- files/patch-libImaging-Resample.c (nonexistent) >+++ files/patch-libImaging-Resample.c (working copy) >@@ -0,0 +1,35 @@ >+From 41fae6d9e2da741d2c5464775c7f1a609ea03798 Mon Sep 17 00:00:00 2001 >+From: Ned Williamson <nedwilliamson@gmail.com> >+Date: Thu, 4 Feb 2016 01:54:12 -0500 >+Subject: [PATCH] fix integer overflow in Resample.c >+ >+--- >+ libImaging/Resample.c | 12 ++++++++++++ >+ 1 file changed, 12 insertions(+) >+ >+--- libImaging/Resample.c >++++ libImaging/Resample.c >+@@ -138,11 +138,23 @@ ImagingResampleHorizontal(Imaging imIn, int xsize, int filter) >+ /* maximum number of coofs */ >+ kmax = (int) ceil(support) * 2 + 1; >+ >++ // check for overflow >++ if (kmax > 0 && xsize > SIZE_MAX / kmax) >++ return (Imaging) ImagingError_MemoryError(); >++ >++ // sizeof(float) should be greater than 0 >++ if (xsize * kmax > SIZE_MAX / sizeof(float)) >++ return (Imaging) ImagingError_MemoryError(); >++ >+ /* coefficient buffer */ >+ kk = malloc(xsize * kmax * sizeof(float)); >+ if ( ! kk) >+ return (Imaging) ImagingError_MemoryError(); >+ >++ // sizeof(int) should be greater than 0 as well >++ if (xsize > SIZE_MAX / (2 * sizeof(int))) >++ return (Imaging) ImagingError_MemoryError(); >++ >+ xbounds = malloc(xsize * 2 * sizeof(int)); >+ if ( ! xbounds) { >+ free(kk); > >Property changes on: files/patch-libImaging-Resample.c >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=166794">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 207053
: 166794