From 487173d5a356dd3b2502369a4858c052590f27e1 Mon Sep 17 00:00:00 2001 From: koobs Date: Sat, 13 Feb 2016 10:54:52 +0000 Subject: [PATCH] MFH: r408782 graphics/py-pillow: Backport security fixes Backport security fixes from 3.1.1 release, resolving the following vulnerabilities: * CVE-2016-0775: Buffer overflow in FLI decoding code * CVE-2016-0740: Buffer overflow in TIFF decoding code * Integer overflow in Resample.c [1] * Buffer overflow in PCD decoder [2] [1] https://github.com/python-pillow/Pillow/issues/1710 [2] https://github.com/python-pillow/Pillow/issues/568 PR: 207053 Submitted by: rakuco Security: a8de962a-cf15-11e5-805c-5453ed2e2b49 Approved by: ports-secteam (security) --- graphics/py-pillow/Makefile | 3 +- graphics/py-pillow/files/patch-CVE-2016-0740 | 24 +++++++++++++ graphics/py-pillow/files/patch-CVE-2016-0775 | 24 +++++++++++++ .../files/patch-libImaging-PcdDecode.c | 33 +++++++++++++++++ .../files/patch-libImaging-Resample.c | 35 +++++++++++++++++++ 5 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 graphics/py-pillow/files/patch-CVE-2016-0740 create mode 100644 graphics/py-pillow/files/patch-CVE-2016-0775 create mode 100644 graphics/py-pillow/files/patch-libImaging-PcdDecode.c create mode 100644 graphics/py-pillow/files/patch-libImaging-Resample.c diff --git a/graphics/py-pillow/Makefile b/graphics/py-pillow/Makefile index d3ad20af938f5..53ff71cd73d27 100644 --- a/graphics/py-pillow/Makefile +++ b/graphics/py-pillow/Makefile @@ -3,6 +3,7 @@ PORTNAME= pillow PORTVERSION= 2.9.0 +PORTREVISION= 1 CATEGORIES= graphics python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} @@ -96,7 +97,7 @@ do-install: ${PYDISTUTILS_SETUP} ${PYDISTUTILS_BUILD_TARGET} ${PYDISTUTILS_BUILDARGS} \ ${PYDISTUTILS_INSTALL_TARGET} ${PYDISTUTILS_INSTALLARGS}) -regression-test: extract +do-test: extract @cd ${WRKSRC} && \ ${PYTHON_CMD} ${PYSETUP} build_ext -i && \ ${PYTHON_CMD} selftest.py diff --git a/graphics/py-pillow/files/patch-CVE-2016-0740 b/graphics/py-pillow/files/patch-CVE-2016-0740 new file mode 100644 index 0000000000000..e5a25716dc6b7 --- /dev/null +++ b/graphics/py-pillow/files/patch-CVE-2016-0740 @@ -0,0 +1,24 @@ +From 6dcbf5bd96b717c58d7b642949da8d323099928e Mon Sep 17 00:00:00 2001 +From: Eric Soroos +Date: Thu, 14 Jan 2016 04:59:19 -0800 +Subject: [PATCH] Fix for buffer overflow in TiffDecode.c CVE-2016-0740 + +--- + Tests/check_libtiff_segfault.py | 23 +++++++++++++++++++++++ + Tests/images/libtiff_segfault.tif | Bin 0 -> 262 bytes + libImaging/TiffDecode.c | 2 +- + 3 files changed, 24 insertions(+), 1 deletion(-) + create mode 100644 Tests/check_libtiff_segfault.py + create mode 100644 Tests/images/libtiff_segfault.tif + +--- libImaging/TiffDecode.c ++++ libImaging/TiffDecode.c +@@ -169,7 +169,7 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, int + char *filename = "tempfile.tif"; + char *mode = "r"; + TIFF *tiff; +- int size; ++ tsize_t size; + + + /* buffer is the encoded file, bytes is the length of the encoded file */ diff --git a/graphics/py-pillow/files/patch-CVE-2016-0775 b/graphics/py-pillow/files/patch-CVE-2016-0775 new file mode 100644 index 0000000000000..cbd4461802843 --- /dev/null +++ b/graphics/py-pillow/files/patch-CVE-2016-0775 @@ -0,0 +1,24 @@ +From bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec Mon Sep 17 00:00:00 2001 +From: wiredfool +Date: Wed, 20 Jan 2016 22:37:28 +0000 +Subject: [PATCH] FLI overflow error fix and testcase CVE-2016-0775 + +--- + Tests/check_fli_overflow.py | 16 ++++++++++++++++ + Tests/images/fli_overflow.fli | Bin 0 -> 4645 bytes + libImaging/FliDecode.c | 2 +- + 3 files changed, 17 insertions(+), 1 deletion(-) + create mode 100644 Tests/check_fli_overflow.py + create mode 100644 Tests/images/fli_overflow.fli + +--- libImaging/FliDecode.c ++++ libImaging/FliDecode.c +@@ -185,7 +185,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + /* COPY chunk */ + for (y = 0; y < state->ysize; y++) { + UINT8* buf = (UINT8*) im->image[y]; +- memcpy(buf+x, data, state->xsize); ++ memcpy(buf, data, state->xsize); + data += state->xsize; + } + break; diff --git a/graphics/py-pillow/files/patch-libImaging-PcdDecode.c b/graphics/py-pillow/files/patch-libImaging-PcdDecode.c new file mode 100644 index 0000000000000..4c996ee4d8f46 --- /dev/null +++ b/graphics/py-pillow/files/patch-libImaging-PcdDecode.c @@ -0,0 +1,33 @@ +From ae453aa18b66af54e7ff716f4ccb33adca60afd4 Mon Sep 17 00:00:00 2001 +From: wiredfool +Date: Tue, 2 Feb 2016 05:46:26 -0800 +Subject: [PATCH] PCD decoder overruns the shuffle buffer, Fixes #568 + +--- + Tests/images/hopper.pcd | Bin 0 -> 788480 bytes + Tests/test_file_pcd.py | 18 ++++++++++++++++++ + libImaging/PcdDecode.c | 4 ++-- + 3 files changed, 20 insertions(+), 2 deletions(-) + create mode 100644 Tests/images/hopper.pcd + create mode 100644 Tests/test_file_pcd.py + +--- libImaging/PcdDecode.c ++++ libImaging/PcdDecode.c +@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + out[0] = ptr[x]; + out[1] = ptr[(x+4*state->xsize)/2]; + out[2] = ptr[(x+5*state->xsize)/2]; +- out += 4; ++ out += 3; + } + + state->shuffle((UINT8*) im->image[state->y], +@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + out[0] = ptr[x+state->xsize]; + out[1] = ptr[(x+4*state->xsize)/2]; + out[2] = ptr[(x+5*state->xsize)/2]; +- out += 4; ++ out += 3; + } + + state->shuffle((UINT8*) im->image[state->y], diff --git a/graphics/py-pillow/files/patch-libImaging-Resample.c b/graphics/py-pillow/files/patch-libImaging-Resample.c new file mode 100644 index 0000000000000..de7756ddf32b0 --- /dev/null +++ b/graphics/py-pillow/files/patch-libImaging-Resample.c @@ -0,0 +1,35 @@ +From 41fae6d9e2da741d2c5464775c7f1a609ea03798 Mon Sep 17 00:00:00 2001 +From: Ned Williamson +Date: Thu, 4 Feb 2016 01:54:12 -0500 +Subject: [PATCH] fix integer overflow in Resample.c + +--- + libImaging/Resample.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- libImaging/Resample.c ++++ libImaging/Resample.c +@@ -138,11 +138,23 @@ ImagingResampleHorizontal(Imaging imIn, int xsize, int filter) + /* maximum number of coofs */ + kmax = (int) ceil(support) * 2 + 1; + ++ // check for overflow ++ if (kmax > 0 && xsize > SIZE_MAX / kmax) ++ return (Imaging) ImagingError_MemoryError(); ++ ++ // sizeof(float) should be greater than 0 ++ if (xsize * kmax > SIZE_MAX / sizeof(float)) ++ return (Imaging) ImagingError_MemoryError(); ++ + /* coefficient buffer */ + kk = malloc(xsize * kmax * sizeof(float)); + if ( ! kk) + return (Imaging) ImagingError_MemoryError(); + ++ // sizeof(int) should be greater than 0 as well ++ if (xsize > SIZE_MAX / (2 * sizeof(int))) ++ return (Imaging) ImagingError_MemoryError(); ++ + xbounds = malloc(xsize * 2 * sizeof(int)); + if ( ! xbounds) { + free(kk);