From cf0295b9b70709416b2fb6c44f149c79b6e4c94d Mon Sep 17 00:00:00 2001 From: Imported From OpenBSD Date: Tue, 2 Feb 2016 23:08:40 +0000 Subject: [PATCH] Add upstream patch to py-Pillow, fixing a buffer overflow in PcdDecode.c, where the decoder writes assuming 4 bytes per pixel into a 3 byte per pixel wide buffer, allowing writing 768 bytes off the end of the buffer. This overwrites objects in Python's stack, leading to a crash. https://github.com/python-pillow/Pillow/pull/1706 (There's also a newer upstream release but that will need additional checking before it can go in). Written by: Stuart Henderson --- graphics/py-Pillow/Makefile | 4 +-- .../patches/patch-libImaging_PcdDecode_c | 27 +++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 graphics/py-Pillow/patches/patch-libImaging_PcdDecode_c diff --git a/graphics/py-Pillow/Makefile b/graphics/py-Pillow/Makefile index abb71afaf4b..d43ea9a2953 100644 --- a/graphics/py-Pillow/Makefile +++ b/graphics/py-Pillow/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.14 2015/09/29 10:52:12 sthen Exp $ +# $OpenBSD: Makefile,v 1.15 2016/02/02 23:08:40 sthen Exp $ COMMENT= Python Imaging Library (fork) @@ -6,7 +6,7 @@ MODPY_EGG_VERSION= 2.8.1 DISTNAME= Pillow-${MODPY_EGG_VERSION} PKGNAME= py-${DISTNAME} CATEGORIES= graphics -REVISION= 0 +REVISION= 1 HOMEPAGE= http://python-pillow.github.io/ diff --git a/graphics/py-Pillow/patches/patch-libImaging_PcdDecode_c b/graphics/py-Pillow/patches/patch-libImaging_PcdDecode_c new file mode 100644 index 00000000000..c452064f0c9 --- /dev/null +++ b/graphics/py-Pillow/patches/patch-libImaging_PcdDecode_c @@ -0,0 +1,27 @@ +$OpenBSD: patch-libImaging_PcdDecode_c,v 1.1 2016/02/02 23:08:40 sthen Exp $ + +From ae453aa18b66af54e7ff716f4ccb33adca60afd4 Mon Sep 17 00:00:00 2001 +From: wiredfool +Date: Tue, 2 Feb 2016 05:46:26 -0800 +Subject: [PATCH] PCD decoder overruns the shuffle buffer, Fixes #568 + +--- libImaging/PcdDecode.c.orig Tue Feb 2 23:05:01 2016 ++++ libImaging/PcdDecode.c Tue Feb 2 23:05:20 2016 +@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, + out[0] = ptr[x]; + out[1] = ptr[(x+4*state->xsize)/2]; + out[2] = ptr[(x+5*state->xsize)/2]; +- out += 4; ++ out += 3; + } + + state->shuffle((UINT8*) im->image[state->y], +@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, + out[0] = ptr[x+state->xsize]; + out[1] = ptr[(x+4*state->xsize)/2]; + out[2] = ptr[(x+5*state->xsize)/2]; +- out += 4; ++ out += 3; + } + + state->shuffle((UINT8*) im->image[state->y],