Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

PCD decoder overruns the shuffle buffer, Fixes #568 #1706

Merged
merged 2 commits into from
Feb 4, 2016
Merged

PCD decoder overruns the shuffle buffer, Fixes #568 #1706

merged 2 commits into from
Feb 4, 2016

Conversation

wiredfool
Copy link
Member

The shuffle buffer is initialized to 24bpp, and the pcd decoder offsets 32bpp.

@wiredfool wiredfool added the Bug Any unexpected behavior, until confirmed feature. label Feb 2, 2016
@wiredfool wiredfool added this to the 3.1.1 milestone Feb 2, 2016
@wiredfool wiredfool mentioned this pull request Feb 2, 2016
Closed
radarhere
radarhere reviewed Feb 4, 2016
View reviewed changes
Tests/test_file_pcd.py
# from convert look find on pillow and not imagemagick.

#target = hopper().resize((768,512))
#self.assert_image_similar(im, target, 10)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious, why are these lines commented?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Never mind, I realise again that the comment explains it. This is a potential future test, a kind of todo if you will.

wiredfool added a commit that referenced this pull request Feb 4, 2016
@wiredfool
Merge pull request #1706 from wiredfool/pcd-segfault
5ec7fd0 
PCD decoder overruns the shuffle buffer, Fixes #568
@wiredfool wiredfool merged commit 5ec7fd0 into python-pillow:master Feb 4, 2016
bluerise pushed a commit to bitrig/bitrig-ports that referenced this pull request Feb 9, 2016
Add upstream patch to py-Pillow, fixing a buffer overflow in PcdDecod…
cf0295b 
…e.c,

where the decoder writes assuming 4 bytes per pixel into a 3 byte per pixel
wide buffer, allowing writing 768 bytes off the end of the buffer. This
overwrites objects in Python's stack, leading to a crash.
python-pillow/Pillow#1706

(There's also a newer upstream release but that will need additional
checking before it can go in).

Written by: Stuart Henderson <sthen@openbsd.org>
jsonn pushed a commit to jsonn/pkgsrc that referenced this pull request Feb 17, 2016
pull in python-pillow/Pillow#1706
c43e3a0 
fixed buffer overflow in PcdDecode
bump PKGREV
@pyup-vuln-bot pyup-vuln-bot mentioned this pull request Oct 14, 2016
Merged
@wiredfool wiredfool deleted the pcd-segfault branch October 2, 2017 13:30
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Bug Any unexpected behavior, until confirmed feature.
Projects
None yet
Milestone
3.1.1
Development

Successfully merging this pull request may close these issues.
2 participants
@wiredfool @radarhere