[arch-commits] CVS update of extra/devel/python (1 file)

andyrtr at archlinux.org andyrtr at archlinux.org
Mon Jan 7 22:24:29 UTC 2008 

    Date: Monday, January 7, 2008 @ 17:24:29
  Author: andyrtr
    Path: /home/cvs-extra/extra/devel/python

   Added: python-2.5.CVE-2007-4965-int-overflow.patch (1.1)

patch added


---------------------------------------------+
 python-2.5.CVE-2007-4965-int-overflow.patch |  217 ++++++++++++++++++++++++++
 1 file changed, 217 insertions(+)


Index: extra/devel/python/python-2.5.CVE-2007-4965-int-overflow.patch
diff -u /dev/null extra/devel/python/python-2.5.CVE-2007-4965-int-overflow.patch:1.1
--- /dev/null	Mon Jan  7 17:24:29 2008
+++ extra/devel/python/python-2.5.CVE-2007-4965-int-overflow.patch	Mon Jan  7 17:24:29 2008
@@ -0,0 +1,217 @@
+diff -rup Python-2.5-orig/Modules/imageop.c Python-2.5/Modules/imageop.c
+--- Python-2.5-orig/Modules/imageop.c	2006-01-19 01:09:39.000000000 -0500
++++ Python-2.5/Modules/imageop.c	2007-09-19 16:42:44.000000000 -0400
+@@ -78,7 +78,7 @@ imageop_crop(PyObject *self, PyObject *a
+ 	char *cp, *ncp;
+ 	short *nsp;
+ 	Py_Int32 *nlp;
+-	int len, size, x, y, newx1, newx2, newy1, newy2;
++	int len, size, x, y, newx1, newx2, newy1, newy2, nlen;
+ 	int ix, iy, xstep, ystep;
+ 	PyObject *rv;
+ 
+@@ -90,13 +90,19 @@ imageop_crop(PyObject *self, PyObject *a
+ 		PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
+ 		return 0;
+ 	}
+-	if ( len != size*x*y ) {
++	/* ( len != size*x*y ) */
++	if ( size != ((len / x) / y) ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+ 	xstep = (newx1 < newx2)? 1 : -1;
+ 	ystep = (newy1 < newy2)? 1 : -1;
+     
++        nlen = (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size;
++        if ( size != ((nlen / (abs(newx2-newx1)+1)) / (abs(newy2-newy1)+1)) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	rv = PyString_FromStringAndSize(NULL,
+ 			     (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size);
+ 	if ( rv == 0 )
+@@ -132,7 +138,7 @@ imageop_scale(PyObject *self, PyObject *
+ 	char *cp, *ncp;
+ 	short *nsp;
+ 	Py_Int32 *nlp;
+-	int len, size, x, y, newx, newy;
++	int len, size, x, y, newx, newy, nlen;
+ 	int ix, iy;
+ 	int oix, oiy;
+ 	PyObject *rv;
+@@ -145,12 +151,18 @@ imageop_scale(PyObject *self, PyObject *
+ 		PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
+ 		return 0;
+ 	}
+-	if ( len != size*x*y ) {
++	/* ( len != size*x*y ) */
++	if ( size != ((len / x) / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
++        nlen = newx*newy*size;
++	if ( size != ((nlen / newx) / newy) ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+     
+-	rv = PyString_FromStringAndSize(NULL, newx*newy*size);
++	rv = PyString_FromStringAndSize(NULL, nlen);
+ 	if ( rv == 0 )
+ 		return 0;
+ 	ncp = (char *)PyString_AsString(rv);
+@@ -190,7 +202,8 @@ imageop_tovideo(PyObject *self, PyObject
+ 		PyErr_SetString(ImageopError, "Size should be 1 or 4");
+ 		return 0;
+ 	}
+-	if ( maxx*maxy*width != len ) {
++	/* if ( maxx*maxy*width != len ) */
++	if ( maxx != ((len / maxy) / maxz) ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -240,7 +253,8 @@ imageop_grey2mono(PyObject *self, PyObje
+ 	if ( !PyArg_ParseTuple(args, "s#iii", &cp, &len, &x, &y, &tres) )
+ 		return 0;
+ 
+-	if ( x*y != len ) {
++	/* ( x*y != len ) */
++	if ( x != len / y ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -281,7 +295,8 @@ imageop_grey2grey4(PyObject *self, PyObj
+ 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ 		return 0;
+ 
+-	if ( x*y != len ) {
++	/* ( x*y != len ) */
++	if ( x != len / y ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -320,7 +335,8 @@ imageop_grey2grey2(PyObject *self, PyObj
+ 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ 		return 0;
+ 
+-	if ( x*y != len ) {
++	/* ( x*y != len ) */
++	if ( x != len / y ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -358,7 +374,8 @@ imageop_dither2mono(PyObject *self, PyOb
+ 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ 		return 0;
+ 
+-	if ( x*y != len ) {
++	/* ( x*y != len ) */
++	if ( x != len / y ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -404,7 +421,8 @@ imageop_dither2grey2(PyObject *self, PyO
+ 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ 		return 0;
+ 
+-	if ( x*y != len ) {
++	/* ( x*y != len ) */
++	if ( x != len / y ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+ 	}
+@@ -443,7 +461,11 @@ imageop_mono2grey(PyObject *self, PyObje
+ 	if ( !PyArg_ParseTuple(args, "s#iiii", &cp, &len, &x, &y, &v0, &v1) )
+ 		return 0;
+ 
+-	nlen = x*y;
++        nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( (nlen+7)/8 != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -481,6 +503,10 @@ imageop_grey22grey(PyObject *self, PyObj
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( (nlen+3)/4 != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -517,6 +543,10 @@ imageop_grey42grey(PyObject *self, PyObj
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( (nlen+1)/2 != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -554,6 +584,10 @@ imageop_rgb2rgb8(PyObject *self, PyObjec
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( nlen*4 != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -598,6 +632,10 @@ imageop_rgb82rgb(PyObject *self, PyObjec
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( nlen != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -648,6 +686,10 @@ imageop_rgb2grey(PyObject *self, PyObjec
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( nlen*4 != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+@@ -693,6 +735,10 @@ imageop_grey2rgb(PyObject *self, PyObjec
+ 		return 0;
+ 
+ 	nlen = x*y;
++	if ( x != (nlen / y) ) {
++		PyErr_SetString(ImageopError, "String has incorrect length");
++		return 0;
++	}
+ 	if ( nlen != len ) {
+ 		PyErr_SetString(ImageopError, "String has incorrect length");
+ 		return 0;
+diff -rup Python-2.5-orig/Modules/rgbimgmodule.c Python-2.5/Modules/rgbimgmodule.c
+--- Python-2.5-orig/Modules/rgbimgmodule.c	2006-08-11 23:18:50.000000000 -0400
++++ Python-2.5/Modules/rgbimgmodule.c	2007-09-19 17:00:06.000000000 -0400
+@@ -299,6 +299,11 @@ longimagedata(PyObject *self, PyObject *
+ 	xsize = image.xsize;
+ 	ysize = image.ysize;
+ 	zsize = image.zsize;
++	tablen = xsize * ysize * zsize * sizeof(Py_Int32);
++        if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
++		PyErr_NoMemory();
++		goto finally;
++        }
+ 	if (rle) {
+ 		tablen = ysize * zsize * sizeof(Py_Int32);
+ 		starttab = (Py_Int32 *)malloc(tablen);

More information about the arch-commits mailing list