rpms/python2
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
0d7f755544
python2/python-2.5.CVE-2007-4965-int-overflow.patch

222 lines
6.1 KiB
Diff
Raw Normal View History

- Fix pyconfig.h comment typo. - Add back test_support.py and the __init__.py file. - Resolves: rhbz#387401
2007-11-30 05:31:41 +00:00
diff -ru Python-2.5-orig/Modules/imageop.c Python-2.5/Modules/imageop.c
--- Python-2.5-orig/Modules/imageop.c 2006-01-19 01:09:39.000000000 -0500
+++ Python-2.5/Modules/imageop.c 2007-10-19 01:11:33.000000000 -0400
@@ -78,7 +78,7 @@
char *cp, *ncp;
short *nsp;
Py_Int32 *nlp;
- int len, size, x, y, newx1, newx2, newy1, newy2;
+ int len, size, x, y, newx1, newx2, newy1, newy2, nlen;
int ix, iy, xstep, ystep;
PyObject *rv;
@@ -90,13 +90,19 @@
PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
return 0;
}
- if ( len != size*x*y ) {
+ if (( len != size*x*y ) ||
+ ( size != ((len / x) / y) )) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
xstep = (newx1 < newx2)? 1 : -1;
ystep = (newy1 < newy2)? 1 : -1;
+ nlen = (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size;
+ if ( size != ((nlen / (abs(newx2-newx1)+1)) / (abs(newy2-newy1)+1)) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
rv = PyString_FromStringAndSize(NULL,
(abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size);
if ( rv == 0 )
@@ -132,7 +138,7 @@
char *cp, *ncp;
short *nsp;
Py_Int32 *nlp;
- int len, size, x, y, newx, newy;
+ int len, size, x, y, newx, newy, nlen;
int ix, iy;
int oix, oiy;
PyObject *rv;
@@ -145,12 +151,18 @@
PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
return 0;
}
- if ( len != size*x*y ) {
+ if ( ( len != size*x*y ) ||
+ ( size != ((len / x) / y) ) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
+ nlen = newx*newy*size;
+ if ( size != ((nlen / newx) / newy) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
- rv = PyString_FromStringAndSize(NULL, newx*newy*size);
+ rv = PyString_FromStringAndSize(NULL, nlen);
if ( rv == 0 )
return 0;
ncp = (char *)PyString_AsString(rv);
@@ -190,7 +202,8 @@
PyErr_SetString(ImageopError, "Size should be 1 or 4");
return 0;
}
- if ( maxx*maxy*width != len ) {
+ if ( ( maxx*maxy*width != len ) ||
+ ( maxx != ((len / maxy) / width) ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -240,7 +253,8 @@
if ( !PyArg_ParseTuple(args, "s#iii", &cp, &len, &x, &y, &tres) )
return 0;
- if ( x*y != len ) {
+ if ( ( x*y != len ) ||
+ ( x != len / y ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -281,7 +295,8 @@
if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
return 0;
- if ( x*y != len ) {
+ if ( ( x*y != len ) ||
+ ( x != len / y ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -320,7 +335,8 @@
if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
return 0;
- if ( x*y != len ) {
+ if ( ( x*y != len ) ||
+ ( x != len / y ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -358,7 +374,8 @@
if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
return 0;
- if ( x*y != len ) {
+ if ( ( x*y != len ) ||
+ ( x != len / y ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -404,7 +421,8 @@
if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
return 0;
- if ( x*y != len ) {
+ if ( ( x*y != len ) ||
+ ( x != len / y ) ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
@@ -443,7 +461,11 @@
if ( !PyArg_ParseTuple(args, "s#iiii", &cp, &len, &x, &y, &v0, &v1) )
return 0;
- nlen = x*y;
+ nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( (nlen+7)/8 != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
@@ -481,6 +503,10 @@
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( (nlen+3)/4 != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
@@ -517,6 +543,10 @@
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( (nlen+1)/2 != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
@@ -554,6 +584,10 @@
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( nlen*4 != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
@@ -598,6 +632,10 @@
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( nlen != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
@@ -648,6 +686,10 @@
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( nlen*4 != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
@@ -693,6 +735,10 @@
return 0;
nlen = x*y;
+ if ( x != (nlen / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
if ( nlen != len ) {
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
Only in Python-2.5/Modules: imageop.c~
Only in Python-2.5/Modules: imageop.c.cve2007-4965
diff -ru Python-2.5-orig/Modules/rgbimgmodule.c Python-2.5/Modules/rgbimgmodule.c
--- Python-2.5-orig/Modules/rgbimgmodule.c 2006-08-11 23:18:50.000000000 -0400
+++ Python-2.5/Modules/rgbimgmodule.c 2007-10-19 01:05:44.000000000 -0400
@@ -299,6 +299,11 @@
xsize = image.xsize;
ysize = image.ysize;
zsize = image.zsize;
+ tablen = xsize * ysize * zsize * sizeof(Py_Int32);
+ if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
+ PyErr_NoMemory();
+ goto finally;
+ }
if (rle) {
tablen = ysize * zsize * sizeof(Py_Int32);
starttab = (Py_Int32 *)malloc(tablen);
Only in Python-2.5/Modules: rgbimgmodule.c.cve2007-4965
Only in Python-2.5/Modules: _tkinter.c.tkinter
Reference in New Issue Copy Permalink