1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
#! /bin/sh -e
# DP: CVE-2007-4965
dir=
if [ $# -eq 3 -a "$2" = '-d' ]; then
pdir="-d $3"
dir="$3/"
elif [ $# -ne 1 ]; then
echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]"
exit 1
fi
case "$1" in
-patch)
patch $pdir -f --no-backup-if-mismatch -p0 < $0
;;
-unpatch)
patch $pdir -f --no-backup-if-mismatch -R -p0 < $0
;;
*)
echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]"
exit 1
esac
exit 0
--- Modules/imageop.c 2008-04-07 16:13:42.000000000 -0700
+++ Modules/imageop.c 2008-04-07 16:10:21.000000000 -0700
@@ -640,6 +640,11 @@
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
+
+ if ( nlen / x != y || nlen > INT_MAX / 4) {
+ PyErr_SetString(ImageopError, "Image is too large");
+ return 0;
+ }
rv = PyString_FromStringAndSize(NULL, nlen*4);
if ( rv == 0 )
@@ -743,6 +748,11 @@
PyErr_SetString(ImageopError, "String has incorrect length");
return 0;
}
+
+ if ( nlen / x != y || nlen > INT_MAX / 4) {
+ PyErr_SetString(ImageopError, "Image is too large");
+ return 0;
+ }
rv = PyString_FromStringAndSize(NULL, nlen*4);
if ( rv == 0 )
|
