Merge 2.5.x branch to master, get 2.5.3 in CHANGES.rst

2025-08-07 13:54:45 +03:00 · 2014-08-19 10:19:45 +02:00 · 2014-08-19 10:19:45 +02:00 · 3e4d3c6077
commit 3e4d3c6077
parent 30979d4dd4 68c6904c28
8 changed files with 29 additions and 4 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -61,6 +61,11 @@ Changelog (Pillow)
 - Test PalmImagePlugin and method to skip known bad tests #776
  [hugovk, wiredfool]

+2.5.3 (2014-08-18)
+------------------
+
+- Fixed CVE-2014-3598, a DOS in the Jpeg2KImagePlugin
+  [Andrew Drake]

 2.5.2 (2014-08-13)
 ------------------
@ -68,7 +73,6 @@ Changelog (Pillow)
 - Fixed CVE-2014-3589, a DOS in the IcnsImagePlugin (backport)
  [Andrew Drake]

- 
 2.5.1 (2014-07-10)
 ------------------

--- a/PIL/Jpeg2KImagePlugin.py
+++ b/PIL/Jpeg2KImagePlugin.py
@ -70,6 +70,9 @@ def _parse_jp2_header(fp):
        else:
            hlen = 8

+        if lbox < hlen:
+            raise SyntaxError('Invalid JP2 header length')
+        
        if tbox == b'jp2h':
            header = fp.read(lbox - hlen)
            break
--- a/PIL/init.py
+++ b/PIL/init.py
@ -12,7 +12,7 @@
 # ;-)

 VERSION = '1.1.7'  # PIL version
-PILLOW_VERSION = '2.5.0' # Pillow
+PILLOW_VERSION = '2.5.3' # Pillow

 _plugins = ['BmpImagePlugin',
            'BufrStubImagePlugin',
--- a/Tests/check_j2k_dos.py
+++ b/Tests/check_j2k_dos.py
@ -0,0 +1,11 @@
+# Tests potential DOS of Jpeg2kImagePlugin with 0 length block.
+# Run from anywhere that PIL is importable. 
+
+from PIL import Image
+from io import BytesIO
+
+if bytes is str:
+    Image.open(BytesIO(bytes('\x00\x00\x00\x0cjP\x20\x20\x0d\x0a\x87\x0a\x00\x00\x00\x00hang')))
+else:
+    Image.open(BytesIO(bytes('\x00\x00\x00\x0cjP\x20\x20\x0d\x0a\x87\x0a\x00\x00\x00\x00hang', 'latin-1')))
+
--- a/Tests/test_file_icns.py
+++ b/Tests/test_file_icns.py
@ -57,6 +57,10 @@ class TestFileIcns(PillowTestCase):
        if not enable_jpeg2k:
            return

+        self.skipKnownBadTest("Jpeg2000 hangs on Travis on OSX",
+                              platform='darwin',
+                              travis=True)
+
        im = Image.open('Tests/images/pillow3.icns')
        for w, h, r in im.info['sizes']:
            wr = w * r
--- a/Tests/test_file_jpeg2k.py
+++ b/Tests/test_file_jpeg2k.py
@ -18,6 +18,9 @@ class TestFileJpeg2k(PillowTestCase):
    def setUp(self):
        if "jpeg2k_encoder" not in codecs or "jpeg2k_decoder" not in codecs:
            self.skipTest('JPEG 2000 support not available')
+        self.skipKnownBadTest("Jpeg2000 hangs on Travis on OSX",
+                              platform='darwin',
+                              travis=True)

    def roundtrip(self, im, **options):
        out = BytesIO()
--- a/_imaging.c
+++ b/_imaging.c
@ -71,7 +71,7 @@
 * See the README file for information on usage and redistribution.
 */

-#define PILLOW_VERSION "2.5.0"
+#define PILLOW_VERSION "2.5.3"

 #include "Python.h"

--- a/setup.py
+++ b/setup.py
@ -90,7 +90,7 @@ except (ImportError, OSError):


 NAME = 'Pillow'
-PILLOW_VERSION = '2.5.0'
+PILLOW_VERSION = '2.5.3'
 TCL_ROOT = None
 JPEG_ROOT = None
 JPEG2K_ROOT = None