Add upstream patch to py-Pillow, fixing a buffer overflow in PcdDecod…

…e.c,

where the decoder writes assuming 4 bytes per pixel into a 3 byte per pixel
wide buffer, allowing writing 768 bytes off the end of the buffer. This
overwrites objects in Python's stack, leading to a crash.
python-pillow/Pillow#1706

(There's also a newer upstream release but that will need additional
checking before it can go in).

Written by: Stuart Henderson <sthen@openbsd.org>

graphics/py-Pillow/Makefile

@@ -1,12 +1,12 @@
-# $OpenBSD: Makefile,v 1.14 2015/09/29 10:52:12 sthen Exp $
+# $OpenBSD: Makefile,v 1.15 2016/02/02 23:08:40 sthen Exp $
 
 COMMENT=		Python Imaging Library (fork)
 
 MODPY_EGG_VERSION=	2.8.1
 DISTNAME=		Pillow-${MODPY_EGG_VERSION}
 PKGNAME=		py-${DISTNAME}
 CATEGORIES=		graphics
-REVISION=		0
+REVISION=		1
 
 HOMEPAGE=		http://python-pillow.github.io/
 

graphics/py-Pillow/patches/patch-libImaging_PcdDecode_c

@@ -0,0 +1,27 @@
+$OpenBSD: patch-libImaging_PcdDecode_c,v 1.1 2016/02/02 23:08:40 sthen Exp $
+
+From ae453aa18b66af54e7ff716f4ccb33adca60afd4 Mon Sep 17 00:00:00 2001
+From: wiredfool <eric-github@soroos.net>
+Date: Tue, 2 Feb 2016 05:46:26 -0800
+Subject: [PATCH] PCD decoder overruns the shuffle buffer, Fixes #568
+
+--- libImaging/PcdDecode.c.orig	Tue Feb  2 23:05:01 2016
++++ libImaging/PcdDecode.c	Tue Feb  2 23:05:20 2016
+@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, 
+ 	    out[0] = ptr[x];
+ 	    out[1] = ptr[(x+4*state->xsize)/2];
+ 	    out[2] = ptr[(x+5*state->xsize)/2];
+-	    out += 4;
++	    out += 3;
+ 	}
+
+ 	state->shuffle((UINT8*) im->image[state->y],
+@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, 
+ 	    out[0] = ptr[x+state->xsize];
+ 	    out[1] = ptr[(x+4*state->xsize)/2];
+ 	    out[2] = ptr[(x+5*state->xsize)/2];
+-	    out += 4;
++	    out += 3;
+ 	}
+
+ 	state->shuffle((UINT8*) im->image[state->y],