c16add7fd9
Fixes: <https://issues.guix.gnu.org/issue/61172> * gnu/packages/python-xyz.scm (python-pillow/security-fixes): New variable. (python-pillow): Add replacement. * gnu/packages/patches/python-pillow-CVE-2022-45199.patch: New file. * gnu/local.mk: Register it.
37 lines
1.4 KiB
Diff
37 lines
1.4 KiB
Diff
From 13f2c5ae14901c89c38f898496102afd9daeaf6d Mon Sep 17 00:00:00 2001
|
|
From: Eric Soroos <eric-github@soroos.net>
|
|
Date: Fri, 28 Oct 2022 14:11:25 +0200
|
|
Subject: [PATCH 1/5] Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
|
|
|
|
A large value in the SAMPLESPERPIXEL tag could lead to a memory and
|
|
runtime DOS in TiffImagePlugin.py when setting up the context for
|
|
image decoding.
|
|
|
|
diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
|
|
index 04a63bd2b44..46166fc6335 100644
|
|
--- a/src/PIL/TiffImagePlugin.py
|
|
+++ b/src/PIL/TiffImagePlugin.py
|
|
@@ -257,6 +257,8 @@
|
|
(MM, 8, (1,), 1, (8, 8, 8), ()): ("LAB", "LAB"),
|
|
}
|
|
|
|
+MAX_SAMPLESPERPIXEL = max(len(key_tp[4]) for key_tp in OPEN_INFO.keys())
|
|
+
|
|
PREFIXES = [
|
|
b"MM\x00\x2A", # Valid TIFF header with big-endian byte order
|
|
b"II\x2A\x00", # Valid TIFF header with little-endian byte order
|
|
@@ -1396,6 +1398,12 @@ def _setup(self):
|
|
SAMPLESPERPIXEL,
|
|
3 if self._compression == "tiff_jpeg" and photo in (2, 6) else 1,
|
|
)
|
|
+
|
|
+ if samples_per_pixel > MAX_SAMPLESPERPIXEL:
|
|
+ # DOS check, samples_per_pixel can be a Long, and we extend the tuple below
|
|
+ logger.error("More samples per pixel than can be decoded: %s", samples_per_pixel)
|
|
+ raise SyntaxError("Invalid value for samples per pixel")
|
|
+
|
|
if samples_per_pixel < bps_actual_count:
|
|
# If a file has more values in bps_tuple than expected,
|
|
# remove the excess.
|
|
|