diff options
| author | Michael Hanson <hansonorders@verizon.net> | 2010-12-09 03:55:04 (GMT) |
|---|---|---|
| committer | Michael Hanson <hansonorders@verizon.net> | 2010-12-09 03:55:04 (GMT) |
| commit | a34c6f33ceb002222d49919b8e702e6e19a81809 (patch) | |
| tree | 4f210d0c1331c5e3279fb377b40229a311f02877 /abs/core/python2/python-2.5.CVE-2007-4965-int-overflow.patch | |
| parent | 22cf86961b2c62437603fd3a61dfab580bedd837 (diff) | |
| download | linhes_pkgbuild-a34c6f33ceb002222d49919b8e702e6e19a81809.zip linhes_pkgbuild-a34c6f33ceb002222d49919b8e702e6e19a81809.tar.gz linhes_pkgbuild-a34c6f33ceb002222d49919b8e702e6e19a81809.tar.bz2 | |
python2: downgrade to python 2.6.6
Diffstat (limited to 'abs/core/python2/python-2.5.CVE-2007-4965-int-overflow.patch')
| -rw-r--r-- | abs/core/python2/python-2.5.CVE-2007-4965-int-overflow.patch | 217 |
1 files changed, 217 insertions, 0 deletions
diff --git a/abs/core/python2/python-2.5.CVE-2007-4965-int-overflow.patch b/abs/core/python2/python-2.5.CVE-2007-4965-int-overflow.patch new file mode 100644 index 0000000..843acbf --- /dev/null +++ b/abs/core/python2/python-2.5.CVE-2007-4965-int-overflow.patch @@ -0,0 +1,217 @@ +diff -rup Python-2.5-orig/Modules/imageop.c Python-2.5/Modules/imageop.c +--- Python-2.5-orig/Modules/imageop.c 2006-01-19 01:09:39.000000000 -0500 ++++ Python-2.5/Modules/imageop.c 2007-09-19 16:42:44.000000000 -0400 +@@ -78,7 +78,7 @@ imageop_crop(PyObject *self, PyObject *a + char *cp, *ncp; + short *nsp; + Py_Int32 *nlp; +- int len, size, x, y, newx1, newx2, newy1, newy2; ++ int len, size, x, y, newx1, newx2, newy1, newy2, nlen; + int ix, iy, xstep, ystep; + PyObject *rv; + +@@ -90,13 +90,19 @@ imageop_crop(PyObject *self, PyObject *a + PyErr_SetString(ImageopError, "Size should be 1, 2 or 4"); + return 0; + } +- if ( len != size*x*y ) { ++ /* ( len != size*x*y ) */ ++ if ( size != ((len / x) / y) ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } + xstep = (newx1 < newx2)? 1 : -1; + ystep = (newy1 < newy2)? 1 : -1; + ++ nlen = (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size; ++ if ( size != ((nlen / (abs(newx2-newx1)+1)) / (abs(newy2-newy1)+1)) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + rv = PyString_FromStringAndSize(NULL, + (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size); + if ( rv == 0 ) +@@ -132,7 +138,7 @@ imageop_scale(PyObject *self, PyObject * + char *cp, *ncp; + short *nsp; + Py_Int32 *nlp; +- int len, size, x, y, newx, newy; ++ int len, size, x, y, newx, newy, nlen; + int ix, iy; + int oix, oiy; + PyObject *rv; +@@ -145,12 +151,18 @@ imageop_scale(PyObject *self, PyObject * + PyErr_SetString(ImageopError, "Size should be 1, 2 or 4"); + return 0; + } +- if ( len != size*x*y ) { ++ /* ( len != size*x*y ) */ ++ if ( size != ((len / x) / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } ++ nlen = newx*newy*size; ++ if ( size != ((nlen / newx) / newy) ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } + +- rv = PyString_FromStringAndSize(NULL, newx*newy*size); ++ rv = PyString_FromStringAndSize(NULL, nlen); + if ( rv == 0 ) + return 0; + ncp = (char *)PyString_AsString(rv); +@@ -190,7 +202,8 @@ imageop_tovideo(PyObject *self, PyObject + PyErr_SetString(ImageopError, "Size should be 1 or 4"); + return 0; + } +- if ( maxx*maxy*width != len ) { ++ /* if ( maxx*maxy*width != len ) */ ++ if ( maxx != ((len / maxy) / maxz) ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -240,7 +253,8 @@ imageop_grey2mono(PyObject *self, PyObje + if ( !PyArg_ParseTuple(args, "s#iii", &cp, &len, &x, &y, &tres) ) + return 0; + +- if ( x*y != len ) { ++ /* ( x*y != len ) */ ++ if ( x != len / y ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -281,7 +295,8 @@ imageop_grey2grey4(PyObject *self, PyObj + if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) ) + return 0; + +- if ( x*y != len ) { ++ /* ( x*y != len ) */ ++ if ( x != len / y ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -320,7 +335,8 @@ imageop_grey2grey2(PyObject *self, PyObj + if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) ) + return 0; + +- if ( x*y != len ) { ++ /* ( x*y != len ) */ ++ if ( x != len / y ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -358,7 +374,8 @@ imageop_dither2mono(PyObject *self, PyOb + if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) ) + return 0; + +- if ( x*y != len ) { ++ /* ( x*y != len ) */ ++ if ( x != len / y ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -404,7 +421,8 @@ imageop_dither2grey2(PyObject *self, PyO + if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) ) + return 0; + +- if ( x*y != len ) { ++ /* ( x*y != len ) */ ++ if ( x != len / y ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; + } +@@ -443,7 +461,11 @@ imageop_mono2grey(PyObject *self, PyObje + if ( !PyArg_ParseTuple(args, "s#iiii", &cp, &len, &x, &y, &v0, &v1) ) + return 0; + +- nlen = x*y; ++ nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( (nlen+7)/8 != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +@@ -481,6 +503,10 @@ imageop_grey22grey(PyObject *self, PyObj + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( (nlen+3)/4 != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +@@ -517,6 +543,10 @@ imageop_grey42grey(PyObject *self, PyObj + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( (nlen+1)/2 != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +@@ -554,6 +584,10 @@ imageop_rgb2rgb8(PyObject *self, PyObjec + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( nlen*4 != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +@@ -598,6 +632,10 @@ imageop_rgb82rgb(PyObject *self, PyObjec + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( nlen != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +@@ -648,6 +686,10 @@ imageop_rgb2grey(PyObject *self, PyObjec + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( nlen*4 != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +@@ -693,6 +735,10 @@ imageop_grey2rgb(PyObject *self, PyObjec + return 0; + + nlen = x*y; ++ if ( x != (nlen / y) ) { ++ PyErr_SetString(ImageopError, "String has incorrect length"); ++ return 0; ++ } + if ( nlen != len ) { + PyErr_SetString(ImageopError, "String has incorrect length"); + return 0; +diff -rup Python-2.5-orig/Modules/rgbimgmodule.c Python-2.5/Modules/rgbimgmodule.c +--- Python-2.5-orig/Modules/rgbimgmodule.c 2006-08-11 23:18:50.000000000 -0400 ++++ Python-2.5/Modules/rgbimgmodule.c 2007-09-19 17:00:06.000000000 -0400 +@@ -299,6 +299,11 @@ longimagedata(PyObject *self, PyObject * + xsize = image.xsize; + ysize = image.ysize; + zsize = image.zsize; ++ tablen = xsize * ysize * zsize * sizeof(Py_Int32); ++ if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) { ++ PyErr_NoMemory(); ++ goto finally; ++ } + if (rle) { + tablen = ysize * zsize * sizeof(Py_Int32); + starttab = (Py_Int32 *)malloc(tablen); |