From 2a93aba5cfcf6e241ab4f9392c13e3b74032c061 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Thu, 22 Feb 2024 18:56:26 +1100 Subject: [PATCH 1/2] Use strncpy to avoid buffer overflow --- Tests/icc/sGrey-v2-nano.icc | Bin 0 -> 290 bytes Tests/test_imagecms.py | 5 +++++ src/_imagingcms.c | 9 ++++----- 3 files changed, 9 insertions(+), 5 deletions(-) create mode 100644 Tests/icc/sGrey-v2-nano.icc diff --git a/Tests/icc/sGrey-v2-nano.icc b/Tests/icc/sGrey-v2-nano.icc new file mode 100644 index 0000000000000000000000000000000000000000..0e9edfd403182dd3ca815935cc85f33ec5dbd746 GIT binary patch literal 290 zcmZQzU{uOU&MjsVU|`72D=Bgha*T|Kj8b5K#K6oT!obPE#~_=STwLHA>=wcR1jUKv z#mOZ_IUqIye7nZL2;yDV%}C5k;hV$Xm^N{`e8QEs#kOw0V-V`FvRG15i<5yeTYxye zyriH6NM8VAk?fElXCVCqh)t3Uih$yb5b%7 literal 0 HcmV?d00001 diff --git a/Tests/test_imagecms.py b/Tests/test_imagecms.py index c80fab75b..fbd78032e 100644 --- a/Tests/test_imagecms.py +++ b/Tests/test_imagecms.py @@ -661,6 +661,11 @@ def test_auxiliary_channels_isolated() -> None: assert_image_equal(test_image.convert(dst_format[2]), reference_image) +def test_long_modes() -> None: + p = ImageCms.getOpenProfile("Tests/icc/sGrey-v2-nano.icc") + ImageCms.buildTransform(p, p, "ABCDEFGHI", "ABCDEFGHI") + + @pytest.mark.parametrize("mode", ("RGB", "RGBA", "RGBX")) def test_rgb_lab(mode: str) -> None: im = Image.new(mode, (1, 1)) diff --git a/src/_imagingcms.c b/src/_imagingcms.c index 4d66dcc10..84b8a7e71 100644 --- a/src/_imagingcms.c +++ b/src/_imagingcms.c @@ -201,8 +201,8 @@ cms_transform_new(cmsHTRANSFORM transform, char *mode_in, char *mode_out) { self->transform = transform; - strcpy(self->mode_in, mode_in); - strcpy(self->mode_out, mode_out); + strncpy(self->mode_in, mode_in, 8); + strncpy(self->mode_out, mode_out, 8); return (PyObject *)self; } @@ -242,10 +242,9 @@ findLCMStype(char *PILmode) { // LabX equivalent like ALab, but not reversed -- no #define in lcms2 return (COLORSPACE_SH(PT_LabV2) | CHANNELS_SH(3) | BYTES_SH(1) | EXTRA_SH(1)); } - else { - /* take a wild guess... but you probably should fail instead. */ - return TYPE_GRAY_8; /* so there's no buffer overrun... */ + /* take a wild guess... */ + return TYPE_GRAY_8; } } From facf3af93dabcbdd8cdbda8c3b50eefafa3bb04c Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 26 Mar 2024 05:34:31 +1100 Subject: [PATCH 2/2] Added release notes --- docs/releasenotes/10.3.0.rst | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/docs/releasenotes/10.3.0.rst b/docs/releasenotes/10.3.0.rst index a73efcee4..e5a47b281 100644 --- a/docs/releasenotes/10.3.0.rst +++ b/docs/releasenotes/10.3.0.rst @@ -4,21 +4,11 @@ Security ======== -TODO -^^^^ +:cve:`2024-28219`: Fix buffer overflow in ``_imagingcms.c`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -TODO - -:cve:`YYYY-XXXXX`: TODO -^^^^^^^^^^^^^^^^^^^^^^^ - -TODO - -Backwards Incompatible Changes -============================== - -TODO -^^^^ +In ``_imagingcms.c``, two ``strcpy`` calls were able to copy too much data into fixed +length strings. This has been fixed by using ``strncpy`` instead. Deprecations ============