Projects
openEuler:20.03:LTS:SP3
python-pillow
_service:tar_scm_kernel_repo:CVE-2022-45199.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:CVE-2022-45199.patch of Package python-pillow
From 9ae8f6b7aa8ea4638cb675267cd20c5425dcfafc Mon Sep 17 00:00:00 2001 From: qz_cx <wangqingzheng@kylinos.cn> Date: Thu, 17 Nov 2022 10:28:59 +0800 Subject: [PATCH] Merge pull request #6700 from hugovk/security-samples_per_pixel-sec hugovk committed Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD A large value in the SAMPLESPERPIXEL tag could lead to a memory and runtime DOS in TiffImagePlugin.py when setting up the context for image decoding. --- Tests/test_file_tiff.py | 14 +++++++++++++- src/PIL/TiffImagePlugin.py | 10 ++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/Tests/test_file_tiff.py b/Tests/test_file_tiff.py index 5801e17..57fabfa 100644 --- a/Tests/test_file_tiff.py +++ b/Tests/test_file_tiff.py @@ -3,7 +3,7 @@ from io import BytesIO import pytest -from PIL import Image, ImageFile, TiffImagePlugin +from PIL import Image, ImageFile, TiffImagePlugin, UnidentifiedImageError from PIL.TiffImagePlugin import RESOLUTION_UNIT, X_RESOLUTION, Y_RESOLUTION from .helper import ( @@ -734,6 +734,18 @@ class TestFileTiff: im.load() ImageFile.LOAD_TRUNCATED_IMAGES = False + @pytest.mark.parametrize( + "test_file", + [ + "Tests/images/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif", + ], + ) + @pytest.mark.timeout(2) + def test_oom(self, test_file): + with pytest.raises(UnidentifiedImageError): + with pytest.warns(UserWarning): + with Image.open(test_file): + pass @pytest.mark.skipif(not is_win32(), reason="Windows only") class TestFileTiffW32: diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py index 5df5c4f..f2afe63 100644 --- a/src/PIL/TiffImagePlugin.py +++ b/src/PIL/TiffImagePlugin.py @@ -252,6 +252,8 @@ OPEN_INFO = { (MM, 8, (1,), 1, (8, 8, 8), ()): ("LAB", "LAB"), } +MAX_SAMPLESPERPIXEL = max(len(key_tp[4]) for key_tp in OPEN_INFO.keys()) + PREFIXES = [ b"MM\x00\x2A", # Valid TIFF header with big-endian byte order b"II\x2A\x00", # Valid TIFF header with little-endian byte order @@ -1310,6 +1312,14 @@ class TiffImageFile(ImageFile.ImageFile): SAMPLESPERPIXEL, 3 if self._compression == "tiff_jpeg" and photo in (2, 6) else 1, ) + + if samplesPerPixel > MAX_SAMPLESPERPIXEL: + # DOS check, samplesPerPixel can be a Long, and we extend the tuple below + logger.error( + "More samples per pixel than can be decoded: %s", samplesPerPixel + ) + raise SyntaxError("Invalid value for samples per pixel") + if len(bps_tuple) != samplesPerPixel: raise SyntaxError("unknown data organization") -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.