Package: pillow / 8.1.2+dfsg-0.3

CVE-2021-25287_CVE-2021-25288.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
From 3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Sun, 7 Mar 2021 12:32:12 +0100
Subject: [PATCH] Fix OOB Read in Jpeg2KDecode CVE-2021-25287,CVE-2021-25288

* For J2k images with multiple bands, it's legal in to have different
  widths for each band, e.g. 1 byte for L, 4 bytes for A
* This dates to Pillow 2.4.0

--- pillow-8.1.2+dfsg.orig/src/libImaging/Jpeg2KDecode.c
+++ pillow-8.1.2+dfsg/src/libImaging/Jpeg2KDecode.c
@@ -589,7 +589,7 @@ j2k_decode_entry(Imaging im, ImagingCode
     j2k_unpacker_t unpack = NULL;
     size_t buffer_size = 0, tile_bytes = 0;
     unsigned n, tile_height, tile_width;
-    int components;
+    int total_component_width = 0;
 
 
     stream = opj_stream_create(BUFFER_SIZE, OPJ_TRUE);
@@ -753,23 +753,40 @@ j2k_decode_entry(Imaging im, ImagingCode
             goto quick_exit;
         }
 
+        if (tile_info.nb_comps != image->numcomps) {
+            state->errcode = IMAGING_CODEC_BROKEN;
+            state->state = J2K_STATE_FAILED;
+            goto quick_exit;
+        }
+	
         /* Sometimes the tile_info.datasize we get back from openjpeg
-           is less than numcomps*w*h, and we overflow in the
+           is less than sum(comp_bytes)*w*h, and we overflow in the
            shuffle stage */
 
         tile_width = tile_info.x1 - tile_info.x0;
         tile_height = tile_info.y1 - tile_info.y0;
-        components = tile_info.nb_comps == 3 ? 4 : tile_info.nb_comps;
-        if (( tile_width > UINT_MAX / components ) ||
-            ( tile_height > UINT_MAX / components ) ||
-            ( tile_width > UINT_MAX / (tile_height * components )) ||
-            ( tile_height > UINT_MAX / (tile_width * components ))) {
+
+        /* Total component width = sum (component_width) e.g, it's
+         legal for an la file to have a 1 byte width for l, and 4 for
+         a. and then a malicious file could have a smaller tile_bytes
+        */
+
+        for (n=0; n < tile_info.nb_comps; n++) {
+            // see csize /acsize calcs
+            int csize = (image->comps[n].prec + 7) >> 3;
+            csize = (csize == 3) ? 4 : csize;
+            total_component_width += csize;
+        }
+        if ((tile_width > UINT_MAX / total_component_width) ||
+            (tile_height > UINT_MAX / total_component_width) ||
+            (tile_width > UINT_MAX / (tile_height * total_component_width)) ||
+            (tile_height > UINT_MAX / (tile_width * total_component_width))) {
             state->errcode = IMAGING_CODEC_BROKEN;
             state->state = J2K_STATE_FAILED;
             goto quick_exit;
         }
-
-        tile_bytes = tile_width * tile_height * components;
+	
+        tile_bytes = tile_width * tile_height * total_component_width;
 
         if (tile_bytes > tile_info.data_size) {
             tile_info.data_size = tile_bytes;