Package: pillow / 8.1.2+dfsg-0.3

CVE-2021-28677.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
From 5a5e6db0abf4e7a638fb1b3408c4e495a096cb92 Mon Sep 17 00:00:00 2001
From: Eric Soroos <eric-github@soroos.net>
Date: Mon, 8 Mar 2021 20:31:41 +0100
Subject: [PATCH] Fix EPS DOS on _open -- CVE-2021-28677

* The readline used in EPS has to deal with any combination of \r and
  \n as line endings. It used an accidentally quadratic method of
  accumulating lines while looking for a line ending.
* A malicious EPS file could use this to perform a DOS of Pillow in
  the open phase, before an image was accepted for opening.
* This dates to the PIL Fork

diff --git a/src/PIL/EpsImagePlugin.py b/src/PIL/EpsImagePlugin.py
index dc61f48edc9..3bf8ee0ab35 100644
--- a/src/PIL/EpsImagePlugin.py
+++ b/src/PIL/EpsImagePlugin.py
@@ -170,12 +170,12 @@ def seek(self, offset, whence=io.SEEK_SET):
         self.fp.seek(offset, whence)
 
     def readline(self):
-        s = self.char or b""
+        s = [self.char or b""]
         self.char = None
 
         c = self.fp.read(1)
-        while c not in b"\r\n":
-            s = s + c
+        while (c not in b"\r\n") and len(c):
+            s.append(c)
             c = self.fp.read(1)
 
         self.char = self.fp.read(1)
@@ -183,7 +183,7 @@ def readline(self):
         if self.char in b"\r\n":
             self.char = None
 
-        return s.decode("latin-1")
+        return b"".join(s).decode("latin-1")
 
 
 def _accept(prefix):