--- a/components/python/imaging/Makefile Tue Jun 09 06:09:29 2015 -0700
+++ b/components/python/imaging/Makefile Thu Jul 09 18:19:03 2015 -0700
@@ -47,6 +47,14 @@
TEST_PYTHONPATH.32 = $(PROTO_DIR)/usr/lib/python$(PYTHON_VERSION)/vendor-packages/PIL
TEST_PYTHONPATH.64 = $(PROTO_DIR)/usr/lib/python$(PYTHON_VERSION)/vendor-packages/PIL:$(PROTO_DIR)/usr/lib/python$(PYTHON_VERSION)/vendor-packages/PIL/64
+# This binary image file accompanies the test which is created along with a fix
+# in patches/04-CVE-2014-9601.patch
+COMPONENT_PRE_TEST_ACTION= \
+ if [ ! -e $(SOURCE_DIR)/Images/png_decompression_dos.png ]; then \
+ $(CP) files/png_decompression_dos.png \
+ $(SOURCE_DIR)/Images/png_decompression_dos.png ; \
+ fi
+
COMPONENT_TEST_DIR= $(COMPONENT_SRC)
COMPONENT_TEST_ARGS= ./selftest.py
COMPONENT_TEST_ENV= PYTHONPATH=$(TEST_PYTHONPATH.$(BITS))
Binary file components/python/imaging/files/png_decompression_dos.png has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/imaging/patches/04-CVE-2014-9601.patch Thu Jul 09 18:19:03 2015 -0700
@@ -0,0 +1,69 @@
+Fix to upstream bug
+https://github.com/python-pillow/Pillow/pull/1060
+
+Patch based on upstream commit to Pillow 2.7.0 (PIL fork)
+https://github.com/wiredfool/Pillow/commit/44286ba3c9bfa6ed565d11bd61460d8ec215e1ea
+
+Note that this patch includes a test of the fix, which requires an
+image file which is copied in from files/png_decompress_dos.png,
+since it cannot be patched in.
+
+--- Imaging-1.1.7-orig/PIL/PngImagePlugin.py 2015-01-21 17:45:12.000000000 -0800
++++ Imaging-1.1.7/PIL/PngImagePlugin.py 2015-01-21 19:37:23.000000000 -0800
+@@ -68,6 +68,12 @@ _MODES = {
+ (16,6): ("RGBA", "RGBA;16B"),
+ }
+
++def _safe_zlib_decompress(s):
++ dobj = zlib.decompressobj()
++ plaintext = dobj.decompress(s, ImageFile.SAFEBLOCK)
++ if dobj.unconsumed_tail:
++ raise ValueError("Decompressed Data Too Large")
++ return plaintext
+
+ # --------------------------------------------------------------------
+ # Support classes. Suitable for PNG and related formats like MNG etc.
+@@ -197,7 +203,7 @@ class PngStream(ChunkStream):
+ if comp_method != 0:
+ raise SyntaxError("Unknown compression method %s in iCCP chunk" % comp_method)
+ try:
+- icc_profile = zlib.decompress(s[i+2:])
++ icc_profile = _safe_zlib_decompress(s[i+2:])
+ except zlib.error:
+ icc_profile = None # FIXME
+ self.im_info["icc_profile"] = icc_profile
+@@ -293,7 +299,7 @@ class PngStream(ChunkStream):
+ if comp_method != 0:
+ raise SyntaxError("Unknown compression method %s in zTXt chunk" % comp_method)
+ import zlib
+- self.im_info[k] = self.im_text[k] = zlib.decompress(v[1:])
++ self.im_info[k] = self.im_text[k] = _safe_zlib_decompress(v[1:])
+ return s
+
+ # --------------------------------------------------------------------
+--- Imaging-1.1.7-orig/selftest.py 2015-01-21 17:44:51.000000000 -0800
++++ Imaging-1.1.7/selftest.py 2015-07-02 17:06:23.636751412 -0700
+@@ -9,6 +9,7 @@ from PIL import Image
+ from PIL import ImageDraw
+ from PIL import ImageFilter
+ from PIL import ImageMath
++from PIL import PngImagePlugin
+
+ try:
+ Image.core.ping
+@@ -146,6 +147,15 @@ def testimage():
+ >>> im.mode, im.size
+ ('F', (128, 128))
+
++ Test fix to PNG decompression DOS #1060
++
++ >>> try:
++ ... im = Image.open("Images/png_decompression_dos.png")
++ ... im.load()
++ ... except ValueError as msg:
++ ... print msg
++ Decompressed Data Too Large
++
+ PIL can do many other things, but I'll leave that for another
+ day. If you're curious, check the handbook, available from:
+ 
