Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
systemsmanagement:Ardana:8:CentOS:7.3
python-Pillow
015-Fix-negative-size-read-in-TiffDecode.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 015-Fix-negative-size-read-in-TiffDecode.patch of Package python-Pillow
From e25be1e33dc526bfd1094bc778a54d8e29bf66c9 Mon Sep 17 00:00:00 2001 From: Eric Soroos <eric-github@soroos.net> Date: Fri, 8 Jan 2021 18:45:42 +0100 Subject: [PATCH] Fix negative size read in TiffDecode.c * Caught by oss-fuzz runs * CVE-2021-25290 --- ...-0c7e0e8e11ce787078f00b5b0ca409a167f070e0.tif | Bin 0 -> 2529 bytes ...-1185209cf7655b5aed8ae5e77784dfdd18ab59e9.tif | Bin 0 -> 1931 bytes ...-338516dbd2f0e83caddb8ce256c22db3bd6dc40f.tif | Bin 0 -> 4682 bytes ...-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif | Bin 0 -> 4050 bytes ...-86214e58da443d2b80820cff9677a38a33dcbbca.tif | Bin 0 -> 286 bytes ...-f46f5b2f43c370fe65706c11449f567ecc345e74.tif | Bin 0 -> 1844 bytes Tests/test_tiff_crashes.py | 8 +++++++- libImaging/TiffDecode.c | 4 ++++ 8 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 Tests/images/crash-0c7e0e8e11ce787078f00b5b0ca409a167f070e0.tif create mode 100644 Tests/images/crash-1185209cf7655b5aed8ae5e77784dfdd18ab59e9.tif create mode 100644 Tests/images/crash-338516dbd2f0e83caddb8ce256c22db3bd6dc40f.tif create mode 100644 Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif create mode 100644 Tests/images/crash-86214e58da443d2b80820cff9677a38a33dcbbca.tif create mode 100644 Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif diff --git a/Tests/test_tiff_crashes.py b/Tests/test_tiff_crashes.py index eb25334669..4e68c5c552 100644 --- a/Tests/test_tiff_crashes.py +++ b/Tests/test_tiff_crashes.py @@ -41,6 +41,21 @@ class TestTiffCrashes(PillowTestCase): # def test_crash_2(self): # self._test("Tests/images/crash_2.tif") + def test_crash_0c7e0e8e11ce787078f00b5b0ca409a167f070e0(self): + self._test("Tests/images/crash-0c7e0e8e11ce787078f00b5b0ca409a167f070e0.tif") + + def test_crash_1185209cf7655b5aed8ae5e77784dfdd18ab59e9(self): + self._test("Tests/images/crash-1185209cf7655b5aed8ae5e77784dfdd18ab59e9.tif") + + def test_crash_338516dbd2f0e83caddb8ce256c22db3bd6dc40f(self): + self._test("Tests/images/crash-338516dbd2f0e83caddb8ce256c22db3bd6dc40f.tif") + + def test_crash_4f085cc12ece8cde18758d42608bed6a2a2cfb1c(self): + self._test("Tests/images/crash-4f085cc12ece8cde18758d42608bed6a2a2cfb1c.tif") + + def test_crash_f46f5b2f43c370fe65706c11449f567ecc345e74(self): + self._test("Tests/images/crash-f46f5b2f43c370fe65706c11449f567ecc345e74.tif") + if __name__ == '__main__': unittest.main() diff --git a/libImaging/TiffDecode.c b/libImaging/TiffDecode.c index f0e2582863..6cebe0bcab 100644 --- a/libImaging/TiffDecode.c +++ b/libImaging/TiffDecode.c @@ -36,6 +36,10 @@ tsize_t _tiffReadProc(thandle_t hdata, tdata_t buf, tsize_t size) { TRACE(("_tiffReadProc: %d \n", (int)size)); dump_state(state); + if (state->loc > state->eof) { + TIFFError("_tiffReadProc", "Invalid Read at loc %d, eof: %d", state->loc, state->eof); + return 0; + } to_read = min(size, min(state->size, (tsize_t)state->eof) - (tsize_t)state->loc); TRACE(("to_read: %d\n", (int)to_read));
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
