MFH: r408782 graphics/py-pillow: Backport security fixes

Backport security fixes from 3.1.1 release, resolving the following vulnerabilities: * CVE-2016-0775: Buffer overflow in FLI decoding code * CVE-2016-0740: Buffer overflow in TIFF decoding code * Integer overflow in Resample.c [1] * Buffer overflow in PCD decoder [2] [1] python-pillow/Pillow#1710 [2] python-pillow/Pillow#568 PR: 207053 Submitted by: rakuco Security: a8de962a-cf15-11e5-805c-5453ed2e2b49 Approved by: ports-secteam (security)
freebsd · Feb 13, 2016 · 487173d · 487173d
1 parent 5194f43
commit 487173d
Show file tree

Hide file tree

Showing 5 changed files with 118 additions and 1 deletion.
diff --git a/graphics/py-pillow/Makefile b/graphics/py-pillow/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	pillow
 PORTVERSION=	2.9.0
+PORTREVISION=	1
 CATEGORIES=	graphics python
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
 
@@ -96,7 +97,7 @@ do-install:
 		${PYDISTUTILS_SETUP} ${PYDISTUTILS_BUILD_TARGET} ${PYDISTUTILS_BUILDARGS} \
 		${PYDISTUTILS_INSTALL_TARGET} ${PYDISTUTILS_INSTALLARGS})
 
-regression-test: extract
+do-test: extract
 	@cd ${WRKSRC} && \
 	${PYTHON_CMD} ${PYSETUP} build_ext -i && \
 	${PYTHON_CMD} selftest.py

diff --git a/graphics/py-pillow/files/patch-CVE-2016-0740 b/graphics/py-pillow/files/patch-CVE-2016-0740
@@ -0,0 +1,24 @@
+From 6dcbf5bd96b717c58d7b642949da8d323099928e Mon Sep 17 00:00:00 2001
+From: Eric Soroos <eric-github@soroos.net>
+Date: Thu, 14 Jan 2016 04:59:19 -0800
+Subject: [PATCH] Fix for buffer overflow in TiffDecode.c CVE-2016-0740
+
+---
+ Tests/check_libtiff_segfault.py   |  23 +++++++++++++++++++++++
+ Tests/images/libtiff_segfault.tif | Bin 0 -> 262 bytes
+ libImaging/TiffDecode.c           |   2 +-
+ 3 files changed, 24 insertions(+), 1 deletion(-)
+ create mode 100644 Tests/check_libtiff_segfault.py
+ create mode 100644 Tests/images/libtiff_segfault.tif
+
+--- libImaging/TiffDecode.c
++++ libImaging/TiffDecode.c
+@@ -169,7 +169,7 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int
+ 	char *filename = "tempfile.tif";
+ 	char *mode = "r";
+ 	TIFF *tiff;
+-	int size;
++	tsize_t size;
+
+
+ 	/* buffer is the encoded file, bytes is the length of the encoded file */
diff --git a/graphics/py-pillow/files/patch-CVE-2016-0775 b/graphics/py-pillow/files/patch-CVE-2016-0775
@@ -0,0 +1,24 @@
+From bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec Mon Sep 17 00:00:00 2001
+From: wiredfool <eric-github@soroos.net>
+Date: Wed, 20 Jan 2016 22:37:28 +0000
+Subject: [PATCH] FLI overflow error fix and testcase CVE-2016-0775
+
+---
+ Tests/check_fli_overflow.py   |  16 ++++++++++++++++
+ Tests/images/fli_overflow.fli | Bin 0 -> 4645 bytes
+ libImaging/FliDecode.c        |   2 +-
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+ create mode 100644 Tests/check_fli_overflow.py
+ create mode 100644 Tests/images/fli_overflow.fli
+
+--- libImaging/FliDecode.c
++++ libImaging/FliDecode.c
+@@ -185,7 +185,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	    /* COPY chunk */
+ 	    for (y = 0; y < state->ysize; y++) {
+ 		UINT8* buf = (UINT8*) im->image[y];
+-		memcpy(buf+x, data, state->xsize);
++		memcpy(buf, data, state->xsize);
+ 		data += state->xsize;
+ 	    }
+ 	    break;
diff --git a/graphics/py-pillow/files/patch-libImaging-PcdDecode.c b/graphics/py-pillow/files/patch-libImaging-PcdDecode.c
@@ -0,0 +1,33 @@
+From ae453aa18b66af54e7ff716f4ccb33adca60afd4 Mon Sep 17 00:00:00 2001
+From: wiredfool <eric-github@soroos.net>
+Date: Tue, 2 Feb 2016 05:46:26 -0800
+Subject: [PATCH] PCD decoder overruns the shuffle buffer, Fixes #568
+
+---
+ Tests/images/hopper.pcd | Bin 0 -> 788480 bytes
+ Tests/test_file_pcd.py  |  18 ++++++++++++++++++
+ libImaging/PcdDecode.c  |   4 ++--
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+ create mode 100644 Tests/images/hopper.pcd
+ create mode 100644 Tests/test_file_pcd.py
+
+--- libImaging/PcdDecode.c
++++ libImaging/PcdDecode.c
+@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	    out[0] = ptr[x];
+ 	    out[1] = ptr[(x+4*state->xsize)/2];
+ 	    out[2] = ptr[(x+5*state->xsize)/2];
+-	    out += 4;
++	    out += 3;
+ 	}
+
+ 	state->shuffle((UINT8*) im->image[state->y],
+@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	    out[0] = ptr[x+state->xsize];
+ 	    out[1] = ptr[(x+4*state->xsize)/2];
+ 	    out[2] = ptr[(x+5*state->xsize)/2];
+-	    out += 4;
++	    out += 3;
+ 	}
+
+ 	state->shuffle((UINT8*) im->image[state->y],
diff --git a/graphics/py-pillow/files/patch-libImaging-Resample.c b/graphics/py-pillow/files/patch-libImaging-Resample.c
@@ -0,0 +1,35 @@
+From 41fae6d9e2da741d2c5464775c7f1a609ea03798 Mon Sep 17 00:00:00 2001
+From: Ned Williamson <nedwilliamson@gmail.com>
+Date: Thu, 4 Feb 2016 01:54:12 -0500
+Subject: [PATCH] fix integer overflow in Resample.c
+
+---
+ libImaging/Resample.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- libImaging/Resample.c
++++ libImaging/Resample.c
+@@ -138,11 +138,23 @@ ImagingResampleHorizontal(Imaging imIn, int xsize, int filter)
+     /* maximum number of coofs */
+     kmax = (int) ceil(support) * 2 + 1;
+
++    // check for overflow
++    if (kmax > 0 && xsize > SIZE_MAX / kmax)
++        return (Imaging) ImagingError_MemoryError();
++
++    // sizeof(float) should be greater than 0
++    if (xsize * kmax > SIZE_MAX / sizeof(float))
++        return (Imaging) ImagingError_MemoryError();
++
+     /* coefficient buffer */
+     kk = malloc(xsize * kmax * sizeof(float));
+     if ( ! kk)
+         return (Imaging) ImagingError_MemoryError();
+
++    // sizeof(int) should be greater than 0 as well
++    if (xsize > SIZE_MAX / (2 * sizeof(int)))
++        return (Imaging) ImagingError_MemoryError();
++
+     xbounds = malloc(xsize * 2 * sizeof(int));
+     if ( ! xbounds) {
+         free(kk);