Created on 2010-05-10 21:24 by brett.cannon, last changed 2011-06-01 06:22 by terry.reedy. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| rgbimg-issue8678.tgz | thoger, 2010-10-29 17:58 | Test cases | ||
| Messages (8) | |||
|---|---|---|---|
| msg105467 - (view) | Author: Brett Cannon (brett.cannon) *  |
Date: 2010-05-10 21:23 | |
Red Hat found some crashers in the rgbimg module along with a proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=541698 . Since the patch was sent to the PSRT privately before the bugs were announced, it should be fine to take the patch from the page and apply it. |
|||
| msg105469 - (view) | Author: Martin v. Löwis (loewis) * |
Date: 2010-05-10 21:44 | |
As a security fix, it probably applies to 2.5 and 2.6 as well. |
|||
| msg105485 - (view) | Author: Tomas Hoger (thoger) | Date: 2010-05-11 07:11 | |
According to PEP-0004, affected module was deprecated in 2.5 and is no longer part of 2.6 and later. Hence 2.5 only, not sure if that version is still actively supported upstream. |
|||
| msg105532 - (view) | Author: Brett Cannon (brett.cannon) * |
Date: 2010-05-11 18:21 | |
Because it's a crasher it could still be patched if someone chose to do the work. |
|||
| msg105619 - (view) | Author: STINNER Victor (haypo) * |
Date: 2010-05-13 00:59 | |
See also #7673 (other crashers). |
|||
| msg105624 - (view) | Author: Martin v. Löwis (loewis) * |
Date: 2010-05-13 07:13 | |
haypo: what's the relationship? |
|||
| msg115536 - (view) | Author: STINNER Victor (haypo) * |
Date: 2010-09-03 23:02 | |
I am able to reproduce the crash with z > 4:
# (magic, type (rle, bpp), dim, x, y, z)
open('image', 'wb').write(struct.pack('>hhhhhh', 0732, 1, 1, 1, 1, 10))
rgbimg.longimagedata('image')
--
But not the "xsize = ysize = 0x8000" integer overflow. longimagedata() begins by checking that xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow:
tablen = xsize * ysize * zsize * sizeof(Py_Int32);
if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
PyErr_NoMemory();
goto finally;
}
If xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow, there is no reason that xsize * ysize * sizeof(Py_Int32) does overflow.
--
I am too tired to check the two RLE bugs.
|
|||
| msg119920 - (view) | Author: Tomas Hoger (thoger) | Date: 2010-10-29 17:58 | |
You seem to be right that r65878 should block the "xsize = ysize = 0x8000" integer overflow. I was testing on the python version with r60793, but not with r65878. Note that the check added in r65878 should still cause crash on divide-by-zero for some files. Attaching my test files. 1 is for excessive ZSIZE, 2 and 3 for the integer overflow, RLE and non-RLE code path, 4 and 5 for RLE decoding issues. 6 should trigger sigfpe in the r65878 check as noted above, but I've not really tested that one. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2011-06-01 06:22:43 | terry.reedy | set | status: open -> closed resolution: out of date |
| 2010-10-29 19:17:41 | brett.cannon | set | nosy:
- brett.cannon |
| 2010-10-29 17:58:54 | thoger | set | files:
+ rgbimg-issue8678.tgz messages: + msg119920 |
| 2010-09-03 23:02:11 | haypo | set | messages: + msg115536 |
| 2010-09-03 22:03:04 | Arfrever | set | nosy:
+ Arfrever |
| 2010-05-13 07:13:57 | loewis | set | messages: + msg105624 |
| 2010-05-13 00:59:52 | haypo | set | nosy:
+ haypo messages: + msg105619 |
| 2010-05-11 18:21:51 | brett.cannon | set | messages:
+ msg105532 components: + Extension Modules |
| 2010-05-11 07:11:31 | thoger | set | nosy:
+ thoger messages: + msg105485 versions: - Python 2.6, Python 2.7 |
| 2010-05-10 21:44:19 | loewis | set | nosy:
+ loewis messages: + msg105469 versions: + Python 2.6, Python 2.5 |
| 2010-05-10 21:24:00 | brett.cannon | create | |