Merge pull request #6699 from hugovk/security-libtiff_buffer

This commit is contained in:
Hugo van Kemenade 2022-10-29 15:06:57 +03:00 committed by GitHub
commit 1a51ce7b95
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 4 deletions

View File

@ -42,7 +42,6 @@ def test_save(tmp_path, mode):
helper_save_as_pdf(tmp_path, mode) helper_save_as_pdf(tmp_path, mode)
@pytest.mark.valgrind_known_error(reason="Temporary skip")
def test_monochrome(tmp_path): def test_monochrome(tmp_path):
# Arrange # Arrange
mode = "1" mode = "1"

View File

@ -40,6 +40,12 @@ classes: :py:data:`~PIL.ExifTags.Base` and :py:data:`~PIL.ExifTags.GPS`.
Security Security
======== ========
Initialize libtiff buffer when saving
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When saving a TIFF image to a file object using libtiff, the buffer was not
initialized. This behaviour introduced in Pillow 2.0.0, and has now been fixed.
Decode JPEG compressed BLP1 data in original mode Decode JPEG compressed BLP1 data in original mode
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

View File

@ -771,11 +771,11 @@ ImagingLibTiffEncodeInit(ImagingCodecState state, char *filename, int fp) {
TRACE(("Opening using fd: %d for writing \n", clientstate->fp)); TRACE(("Opening using fd: %d for writing \n", clientstate->fp));
clientstate->tiff = TIFFFdOpen(fd_to_tiff_fd(clientstate->fp), filename, mode); clientstate->tiff = TIFFFdOpen(fd_to_tiff_fd(clientstate->fp), filename, mode);
} else { } else {
// malloc a buffer to write the tif, we're going to need to realloc or something // calloc a buffer to write the tif, we're going to need to realloc or something
// if we need bigger. // if we need bigger.
TRACE(("Opening a buffer for writing \n")); TRACE(("Opening a buffer for writing \n"));
/* malloc check ok, small constant allocation */ /* calloc check ok, small constant allocation */
clientstate->data = malloc(bufsize); clientstate->data = calloc(bufsize, 1);
clientstate->size = bufsize; clientstate->size = bufsize;
clientstate->flrealloc = 1; clientstate->flrealloc = 1;