20396665 problem in PYTHON-MOD/PIL s11u2-sru
authorApril Chin <april.chin@oracle.com>
Thu, 09 Jul 2015 18:16:57 -0700
branchs11u2-sru
changeset 4640 044ef665199a
parent 4636 ff0f2637c4e0
child 4650 7a924b284d8d
20396665 problem in PYTHON-MOD/PIL
components/python/imaging/Makefile
components/python/imaging/files/png_decompression_dos.png
components/python/imaging/patches/04-CVE-2014-9601.patch
--- a/components/python/imaging/Makefile	Mon Jul 13 18:54:56 2015 -0700
+++ b/components/python/imaging/Makefile	Thu Jul 09 18:16:57 2015 -0700
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../../../make-rules/shared-macros.mk
@@ -42,6 +42,14 @@
 TEST_PYTHONPATH.32 = $(PROTO_DIR)/usr/lib/python$(PYTHON_VERSION)/vendor-packages/PIL
 TEST_PYTHONPATH.64 = $(PROTO_DIR)/usr/lib/python$(PYTHON_VERSION)/vendor-packages/PIL:$(PROTO_DIR)/usr/lib/python$(PYTHON_VERSION)/vendor-packages/PIL/64
 
+# This binary image file accompanies the test which is created along with a fix
+# in patches/04-CVE-2014-9601.patch
+COMPONENT_PRE_TEST_ACTION= \
+	if [ ! -e $(SOURCE_DIR)/Images/png_decompression_dos.png ]; then \
+		$(CP) files/png_decompression_dos.png \
+		$(SOURCE_DIR)/Images/png_decompression_dos.png ; \
+	fi
+
 COMPONENT_TEST_DIR= $(COMPONENT_SRC)
 COMPONENT_TEST_ARGS= ./selftest.py
 COMPONENT_TEST_ENV= PYTHONPATH=$(TEST_PYTHONPATH.$(BITS))
Binary file components/python/imaging/files/png_decompression_dos.png has changed
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/imaging/patches/04-CVE-2014-9601.patch	Thu Jul 09 18:16:57 2015 -0700
@@ -0,0 +1,69 @@
+Fix to upstream bug
+https://github.com/python-pillow/Pillow/pull/1060
+
+Patch based on upstream commit to Pillow 2.7.0 (PIL fork)
+https://github.com/wiredfool/Pillow/commit/44286ba3c9bfa6ed565d11bd61460d8ec215e1ea
+
+Note that this patch includes a test of the fix, which requires an 
+image file which is copied in from files/png_decompress_dos.png,
+since it cannot be patched in.
+
+--- Imaging-1.1.7-orig/PIL/PngImagePlugin.py	2015-01-21 17:45:12.000000000 -0800
++++ Imaging-1.1.7/PIL/PngImagePlugin.py	2015-01-21 19:37:23.000000000 -0800
[email protected]@ -68,6 +68,12 @@ _MODES = {
+     (16,6): ("RGBA", "RGBA;16B"),
+ }
+ 
++def _safe_zlib_decompress(s):
++    dobj = zlib.decompressobj()
++    plaintext = dobj.decompress(s, ImageFile.SAFEBLOCK)
++    if dobj.unconsumed_tail:
++        raise ValueError("Decompressed Data Too Large")
++    return plaintext
+ 
+ # --------------------------------------------------------------------
+ # Support classes.  Suitable for PNG and related formats like MNG etc.
[email protected]@ -197,7 +203,7 @@ class PngStream(ChunkStream):
+         if comp_method != 0:
+             raise SyntaxError("Unknown compression method %s in iCCP chunk" % comp_method)
+         try:
+-            icc_profile = zlib.decompress(s[i+2:])
++            icc_profile = _safe_zlib_decompress(s[i+2:])
+         except zlib.error:
+             icc_profile = None # FIXME
+         self.im_info["icc_profile"] = icc_profile
[email protected]@ -293,7 +299,7 @@ class PngStream(ChunkStream):
+         if comp_method != 0:
+             raise SyntaxError("Unknown compression method %s in zTXt chunk" % comp_method)
+         import zlib
+-        self.im_info[k] = self.im_text[k] = zlib.decompress(v[1:])
++        self.im_info[k] = self.im_text[k] = _safe_zlib_decompress(v[1:])
+         return s
+ 
+ # --------------------------------------------------------------------
+--- Imaging-1.1.7-orig/selftest.py	2015-01-21 17:44:51.000000000 -0800
++++ Imaging-1.1.7/selftest.py	2015-07-02 17:06:23.636751412 -0700
[email protected]@ -9,6 +9,7 @@ from PIL import Image
+ from PIL import ImageDraw
+ from PIL import ImageFilter
+ from PIL import ImageMath
++from PIL import PngImagePlugin
+ 
+ try:
+     Image.core.ping
[email protected]@ -146,6 +147,15 @@ def testimage():
+     >>> im.mode, im.size
+     ('F', (128, 128))
+ 
++    Test fix to PNG decompression DOS #1060
++
++    >>> try:
++    ...  im = Image.open("Images/png_decompression_dos.png")
++    ...  im.load()
++    ... except ValueError as msg:
++    ...  print msg
++    Decompressed Data Too Large
++
+     PIL can do many other things, but I'll leave that for another
+     day.  If you're curious, check the handbook, available from:
+