python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2025-08-11 15:54:45 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7 from ActiveState/BE-584-cve-2021-27921

Browse Source 
BE-584 Cherrypick the fix for CVE-2021-27921
This commit is contained in:
Marc Gutman 2023-03-01 12:04:14 -06:00 committed by GitHub
commit e18d9e1391
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 251 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGES.rst
View File

@ -8,6 +8,13 @@ Changelog (Pillow)
- Use more specific regex chars to prevent ReDoS. CVE-2021-25292 - Use more specific regex chars to prevent ReDoS. CVE-2021-25292
[rickprice,hugovk] [rickprice,hugovk]
- Fix CVE CVE-2021-25293: There is an out-of-bounds read in ``SgiRleDecode.c``,
since Pillow 4.3.0.
[rickprice]
- Fix CVE-2021-2791
[rickprice]
6.2.2.3 (2023-02-23) 6.2.2.3 (2023-02-23)
------------------ ------------------
@ -27,7 +34,7 @@ Changelog (Pillow)
- Use snprintf instead of sprintf. CVE-2021-34552 - Use snprintf instead of sprintf. CVE-2021-34552
[wooken] [wooken]
6.2.2.1 (2021-10-08) 6.2.2.1 (2021-10-08)
------------------ ------------------

BIN
Tests/images/oom-8ed3316a4109213ca96fb8a256a0bfefdece1461.icns Normal file
View File

Binary file not shown.

173
Tests/test_file_icns.py
View File

@ -1,120 +1,147 @@
import io import io
import sys import sys
from PIL import IcnsImagePlugin, Image import pytest
from .helper import PillowTestCase, unittest from PIL import IcnsImagePlugin, Image, features
# sample icon file # sample icon file
TEST_FILE = "Tests/images/pillow.icns" TEST_FILE = "Tests/images/pillow.icns"
enable_jpeg2k = hasattr(Image.core, "jp2klib_version") ENABLE_JPEG2K = features.check_codec("jpg_2000")
class TestFileIcns(PillowTestCase): def test_sanity():
def test_sanity(self): # Loading this icon by default should result in the largest size
# Loading this icon by default should result in the largest size # (512x512@2x) being loaded
# (512x512@2x) being loaded with Image.open(TEST_FILE) as im:
im = Image.open(TEST_FILE)
# Assert that there is no unclosed file warning # Assert that there is no unclosed file warning
self.assert_warning(None, im.load) with pytest.warns(None) as record:
im.load()
assert not record
self.assertEqual(im.mode, "RGBA") assert im.mode == "RGBA"
self.assertEqual(im.size, (1024, 1024)) assert im.size == (1024, 1024)
self.assertEqual(im.format, "ICNS") assert im.format == "ICNS"
@unittest.skipIf(sys.platform != "darwin", "requires macOS")
def test_save(self):
im = Image.open(TEST_FILE)
temp_file = self.tempfile("temp.icns") @pytest.mark.skipif(sys.platform != "darwin", reason="Requires macOS")
def test_save(tmp_path):
temp_file = str(tmp_path / "temp.icns")
with Image.open(TEST_FILE) as im:
im.save(temp_file) im.save(temp_file)
reread = Image.open(temp_file) with Image.open(temp_file) as reread:
assert reread.mode == "RGBA"
assert reread.size == (1024, 1024)
assert reread.format == "ICNS"
self.assertEqual(reread.mode, "RGBA")
self.assertEqual(reread.size, (1024, 1024))
self.assertEqual(reread.format, "ICNS")
@unittest.skipIf(sys.platform != "darwin", "requires macOS") @pytest.mark.skipif(sys.platform != "darwin", reason="Requires macOS")
def test_save_append_images(self): def test_save_append_images(tmp_path):
im = Image.open(TEST_FILE) temp_file = str(tmp_path / "temp.icns")
provided_im = Image.new("RGBA", (32, 32), (255, 0, 0, 128))
temp_file = self.tempfile("temp.icns") with Image.open(TEST_FILE) as im:
provided_im = Image.new("RGBA", (32, 32), (255, 0, 0, 128))
im.save(temp_file, append_images=[provided_im]) im.save(temp_file, append_images=[provided_im])
reread = Image.open(temp_file) assert_image_similar_tofile(im, temp_file, 1)
self.assert_image_similar(reread, im, 1)
reread = Image.open(temp_file) with Image.open(temp_file) as reread:
reread.size = (16, 16, 2) reread.size = (16, 16, 2)
reread.load() reread.load()
self.assert_image_equal(reread, provided_im) assert_image_equal(reread, provided_im)
def test_sizes(self):
# Check that we can load all of the sizes, and that the final pixel @pytest.mark.skipif(sys.platform != "darwin", reason="Requires macOS")
# dimensions are as expected def test_save_fp():
im = Image.open(TEST_FILE) fp = io.BytesIO()
with Image.open(TEST_FILE) as im:
im.save(fp, format="ICNS")
with Image.open(fp) as reread:
assert reread.mode == "RGBA"
assert reread.size == (1024, 1024)
assert reread.format == "ICNS"
def test_sizes():
# Check that we can load all of the sizes, and that the final pixel
# dimensions are as expected
with Image.open(TEST_FILE) as im:
for w, h, r in im.info["sizes"]: for w, h, r in im.info["sizes"]:
wr = w * r wr = w * r
hr = h * r hr = h * r
im.size = (w, h, r) im.size = (w, h, r)
im.load() im.load()
self.assertEqual(im.mode, "RGBA") assert im.mode == "RGBA"
self.assertEqual(im.size, (wr, hr)) assert im.size == (wr, hr)
# Check that we cannot load an incorrect size # Check that we cannot load an incorrect size
with self.assertRaises(ValueError): with pytest.raises(ValueError):
im.size = (1, 1) im.size = (1, 1)
def test_older_icon(self):
# This icon was made with Icon Composer rather than iconutil; it still def test_older_icon():
# uses PNG rather than JP2, however (since it was made on 10.9). # This icon was made with Icon Composer rather than iconutil; it still
im = Image.open("Tests/images/pillow2.icns") # uses PNG rather than JP2, however (since it was made on 10.9).
with Image.open("Tests/images/pillow2.icns") as im:
for w, h, r in im.info["sizes"]: for w, h, r in im.info["sizes"]:
wr = w * r wr = w * r
hr = h * r hr = h * r
im2 = Image.open("Tests/images/pillow2.icns") with Image.open("Tests/images/pillow2.icns") as im2:
im2.size = (w, h, r) im2.size = (w, h, r)
im2.load() im2.load()
self.assertEqual(im2.mode, "RGBA") assert im2.mode == "RGBA"
self.assertEqual(im2.size, (wr, hr)) assert im2.size == (wr, hr)
def test_jp2_icon(self):
# This icon was made by using Uli Kusterer's oldiconutil to replace
# the PNG images with JPEG 2000 ones. The advantage of doing this is
# that OS X 10.5 supports JPEG 2000 but not PNG; some commercial
# software therefore does just this.
# (oldiconutil is here: https://github.com/uliwitness/oldiconutil) def test_jp2_icon():
# This icon was made by using Uli Kusterer's oldiconutil to replace
# the PNG images with JPEG 2000 ones. The advantage of doing this is
# that OS X 10.5 supports JPEG 2000 but not PNG; some commercial
# software therefore does just this.
if not enable_jpeg2k: # (oldiconutil is here: https://github.com/uliwitness/oldiconutil)
return
im = Image.open("Tests/images/pillow3.icns") if not ENABLE_JPEG2K:
return
with Image.open("Tests/images/pillow3.icns") as im:
for w, h, r in im.info["sizes"]: for w, h, r in im.info["sizes"]:
wr = w * r wr = w * r
hr = h * r hr = h * r
im2 = Image.open("Tests/images/pillow3.icns") with Image.open("Tests/images/pillow3.icns") as im2:
im2.size = (w, h, r) im2.size = (w, h, r)
im2.load() im2.load()
self.assertEqual(im2.mode, "RGBA") assert im2.mode == "RGBA"
self.assertEqual(im2.size, (wr, hr)) assert im2.size == (wr, hr)
def test_getimage(self):
with open(TEST_FILE, "rb") as fp:
icns_file = IcnsImagePlugin.IcnsFile(fp)
im = icns_file.getimage() def test_getimage():
self.assertEqual(im.mode, "RGBA") with open(TEST_FILE, "rb") as fp:
self.assertEqual(im.size, (1024, 1024)) icns_file = IcnsImagePlugin.IcnsFile(fp)
im = icns_file.getimage((512, 512)) im = icns_file.getimage()
self.assertEqual(im.mode, "RGBA") assert im.mode == "RGBA"
self.assertEqual(im.size, (512, 512)) assert im.size == (1024, 1024)
def test_not_an_icns_file(self): im = icns_file.getimage((512, 512))
with io.BytesIO(b"invalid\n") as fp: assert im.mode == "RGBA"
self.assertRaises(SyntaxError, IcnsImagePlugin.IcnsFile, fp) assert im.size == (512, 512)
def test_not_an_icns_file():
with io.BytesIO(b"invalid\n") as fp:
with pytest.raises(SyntaxError):
IcnsImagePlugin.IcnsFile(fp)
def test_icns_decompression_bomb():
with pytest.raises(Image.DecompressionBombError):
im = Image.open(
'Tests/images/oom-8ed3316a4109213ca96fb8a256a0bfefdece1461.icns')
im.load()

138
Tests/test_file_icns.py.orig Normal file
View File

@ -0,0 +1,138 @@
import io
import sys
from PIL import IcnsImagePlugin, Image
from .helper import PillowTestCase, unittest
# sample icon file
TEST_FILE = "Tests/images/pillow.icns"
enable_jpeg2k = hasattr(Image.core, "jp2klib_version")
class TestFileIcns(PillowTestCase):
def test_sanity(self):
# Loading this icon by default should result in the largest size
# (512x512@2x) being loaded
im = Image.open(TEST_FILE)
# Assert that there is no unclosed file warning
self.assert_warning(None, im.load)
self.assertEqual(im.mode, "RGBA")
self.assertEqual(im.size, (1024, 1024))
self.assertEqual(im.format, "ICNS")
@unittest.skipIf(sys.platform != "darwin", "requires macOS")
def test_save(self):
im = Image.open(TEST_FILE)
temp_file = self.tempfile("temp.icns")
im.save(temp_file)
reread = Image.open(temp_file)
self.assertEqual(reread.mode, "RGBA")
self.assertEqual(reread.size, (1024, 1024))
self.assertEqual(reread.format, "ICNS")
@unittest.skipIf(sys.platform != "darwin", "requires macOS")
def test_save_append_images(self):
im = Image.open(TEST_FILE)
temp_file = self.tempfile("temp.icns")
provided_im = Image.new("RGBA", (32, 32), (255, 0, 0, 128))
im.save(temp_file, append_images=[provided_im])
reread = Image.open(temp_file)
self.assert_image_similar(reread, im, 1)
reread = Image.open(temp_file)
reread.size = (16, 16, 2)
reread.load()
self.assert_image_equal(reread, provided_im)
def test_sizes(self):
# Check that we can load all of the sizes, and that the final pixel
# dimensions are as expected
im = Image.open(TEST_FILE)
for w, h, r in im.info["sizes"]:
wr = w * r
hr = h * r
im.size = (w, h, r)
im.load()
self.assertEqual(im.mode, "RGBA")
self.assertEqual(im.size, (wr, hr))
# Check that we cannot load an incorrect size
with self.assertRaises(ValueError):
im.size = (1, 1)
def test_older_icon(self):
# This icon was made with Icon Composer rather than iconutil; it still
# uses PNG rather than JP2, however (since it was made on 10.9).
im = Image.open("Tests/images/pillow2.icns")
for w, h, r in im.info["sizes"]:
wr = w * r
hr = h * r
im2 = Image.open("Tests/images/pillow2.icns")
im2.size = (w, h, r)
im2.load()
self.assertEqual(im2.mode, "RGBA")
self.assertEqual(im2.size, (wr, hr))
def test_jp2_icon(self):
# This icon was made by using Uli Kusterer's oldiconutil to replace
# the PNG images with JPEG 2000 ones. The advantage of doing this is
# that OS X 10.5 supports JPEG 2000 but not PNG; some commercial
# software therefore does just this.
# (oldiconutil is here: https://github.com/uliwitness/oldiconutil)
if not enable_jpeg2k:
return
im = Image.open("Tests/images/pillow3.icns")
for w, h, r in im.info["sizes"]:
wr = w * r
hr = h * r
im2 = Image.open("Tests/images/pillow3.icns")
im2.size = (w, h, r)
im2.load()
self.assertEqual(im2.mode, "RGBA")
self.assertEqual(im2.size, (wr, hr))
def test_getimage(self):
with open(TEST_FILE, "rb") as fp:
icns_file = IcnsImagePlugin.IcnsFile(fp)
im = icns_file.getimage()
self.assertEqual(im.mode, "RGBA")
self.assertEqual(im.size, (1024, 1024))
im = icns_file.getimage((512, 512))
self.assertEqual(im.mode, "RGBA")
self.assertEqual(im.size, (512, 512))
<<<<<<< HEAD
def test_not_an_icns_file(self):
with io.BytesIO(b"invalid\n") as fp:
self.assertRaises(SyntaxError, IcnsImagePlugin.IcnsFile, fp)
=======
im = icns_file.getimage((512, 512))
assert im.mode == "RGBA"
assert im.size == (512, 512)
def test_not_an_icns_file():
with io.BytesIO(b"invalid\n") as fp:
with pytest.raises(SyntaxError):
IcnsImagePlugin.IcnsFile(fp)
def test_icns_decompression_bomb():
with pytest.raises(Image.DecompressionBombError):
im = Image.open('Tests/images/oom-8ed3316a4109213ca96fb8a256a0bfefdece1461.icns')
im.load()
>>>>>>> 480f6819b (Fix Memory DOS in Icns, Ico and Blp Image Plugins)

1
docs/releasenotes/6.2.2.4.rst
View File

@ -9,3 +9,4 @@ This release addresses several critical CVEs.
:cve:`CVE-2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c``, :cve:`CVE-2021-25293`: There is an out-of-bounds read in ``SgiRleDecode.c``,
since Pillow 4.3.0. since Pillow 4.3.0.
:cve: `CVE-2021-2791` : Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

1
src/PIL/BlpImagePlugin.py
View File

@ -353,6 +353,7 @@ class BLP1Decoder(_BLPBaseDecoder):
data = jpeg_header + data data = jpeg_header + data
data = BytesIO(data) data = BytesIO(data)
image = JpegImageFile(data) image = JpegImageFile(data)
Image._decompression_bomb_check(image.size)
self.tile = image.tile # :/ self.tile = image.tile # :/
self.fd = image.fp self.fd = image.fp
self.mode = image.mode self.mode = image.mode

2
src/PIL/IcnsImagePlugin.py
View File

@ -105,6 +105,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a": if sig[:8] == b"\x89PNG\x0d\x0a\x1a\x0a":
fobj.seek(start) fobj.seek(start)
im = PngImagePlugin.PngImageFile(fobj) im = PngImagePlugin.PngImageFile(fobj)
Image._decompression_bomb_check(im.size)
return {"RGBA": im} return {"RGBA": im}
elif ( elif (
sig[:4] == b"\xff\x4f\xff\x51" sig[:4] == b"\xff\x4f\xff\x51"
@ -121,6 +122,7 @@ def read_png_or_jpeg2000(fobj, start_length, size):
jp2kstream = fobj.read(length) jp2kstream = fobj.read(length)
f = io.BytesIO(jp2kstream) f = io.BytesIO(jp2kstream)
im = Jpeg2KImagePlugin.Jpeg2KImageFile(f) im = Jpeg2KImagePlugin.Jpeg2KImageFile(f)
Image._decompression_bomb_check(im.size)
if im.mode != "RGBA": if im.mode != "RGBA":
im = im.convert("RGBA") im = im.convert("RGBA")
return {"RGBA": im} return {"RGBA": im}

1
src/PIL/IcoImagePlugin.py
View File

@ -177,6 +177,7 @@ class IcoFile(object):
if data[:8] == PngImagePlugin._MAGIC: if data[:8] == PngImagePlugin._MAGIC:
# png frame # png frame
im = PngImagePlugin.PngImageFile(self.buf) im = PngImagePlugin.PngImageFile(self.buf)
Image._decompression_bomb_check(im.size)
else: else:
# XOR + AND mask bmp frame # XOR + AND mask bmp frame
im = BmpImagePlugin.DibImageFile(self.buf) im = BmpImagePlugin.DibImageFile(self.buf)