summaryrefslogtreecommitdiffstats
path: root/abs/core-testing/python/python-2.5.CVE-2007-4965-int-overflow.patch
diff options
context:
space:
mode:
Diffstat (limited to 'abs/core-testing/python/python-2.5.CVE-2007-4965-int-overflow.patch')
-rw-r--r--abs/core-testing/python/python-2.5.CVE-2007-4965-int-overflow.patch217
1 files changed, 217 insertions, 0 deletions
diff --git a/abs/core-testing/python/python-2.5.CVE-2007-4965-int-overflow.patch b/abs/core-testing/python/python-2.5.CVE-2007-4965-int-overflow.patch
new file mode 100644
index 0000000..843acbf
--- /dev/null
+++ b/abs/core-testing/python/python-2.5.CVE-2007-4965-int-overflow.patch
@@ -0,0 +1,217 @@
+diff -rup Python-2.5-orig/Modules/imageop.c Python-2.5/Modules/imageop.c
+--- Python-2.5-orig/Modules/imageop.c 2006-01-19 01:09:39.000000000 -0500
++++ Python-2.5/Modules/imageop.c 2007-09-19 16:42:44.000000000 -0400
+@@ -78,7 +78,7 @@ imageop_crop(PyObject *self, PyObject *a
+ char *cp, *ncp;
+ short *nsp;
+ Py_Int32 *nlp;
+- int len, size, x, y, newx1, newx2, newy1, newy2;
++ int len, size, x, y, newx1, newx2, newy1, newy2, nlen;
+ int ix, iy, xstep, ystep;
+ PyObject *rv;
+
+@@ -90,13 +90,19 @@ imageop_crop(PyObject *self, PyObject *a
+ PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
+ return 0;
+ }
+- if ( len != size*x*y ) {
++ /* ( len != size*x*y ) */
++ if ( size != ((len / x) / y) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
+ xstep = (newx1 < newx2)? 1 : -1;
+ ystep = (newy1 < newy2)? 1 : -1;
+
++ nlen = (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size;
++ if ( size != ((nlen / (abs(newx2-newx1)+1)) / (abs(newy2-newy1)+1)) ) {
++ PyErr_SetString(ImageopError, "String has incorrect length");
++ return 0;
++ }
+ rv = PyString_FromStringAndSize(NULL,
+ (abs(newx2-newx1)+1)*(abs(newy2-newy1)+1)*size);
+ if ( rv == 0 )
+@@ -132,7 +138,7 @@ imageop_scale(PyObject *self, PyObject *
+ char *cp, *ncp;
+ short *nsp;
+ Py_Int32 *nlp;
+- int len, size, x, y, newx, newy;
++ int len, size, x, y, newx, newy, nlen;
+ int ix, iy;
+ int oix, oiy;
+ PyObject *rv;
+@@ -145,12 +151,18 @@ imageop_scale(PyObject *self, PyObject *
+ PyErr_SetString(ImageopError, "Size should be 1, 2 or 4");
+ return 0;
+ }
+- if ( len != size*x*y ) {
++ /* ( len != size*x*y ) */
++ if ( size != ((len / x) / y) ) {
++ PyErr_SetString(ImageopError, "String has incorrect length");
++ return 0;
++ }
++ nlen = newx*newy*size;
++ if ( size != ((nlen / newx) / newy) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
+
+- rv = PyString_FromStringAndSize(NULL, newx*newy*size);
++ rv = PyString_FromStringAndSize(NULL, nlen);
+ if ( rv == 0 )
+ return 0;
+ ncp = (char *)PyString_AsString(rv);
+@@ -190,7 +202,8 @@ imageop_tovideo(PyObject *self, PyObject
+ PyErr_SetString(ImageopError, "Size should be 1 or 4");
+ return 0;
+ }
+- if ( maxx*maxy*width != len ) {
++ /* if ( maxx*maxy*width != len ) */
++ if ( maxx != ((len / maxy) / maxz) ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
+@@ -240,7 +253,8 @@ imageop_grey2mono(PyObject *self, PyObje
+ if ( !PyArg_ParseTuple(args, "s#iii", &cp, &len, &x, &y, &tres) )
+ return 0;
+
+- if ( x*y != len ) {
++ /* ( x*y != len ) */
++ if ( x != len / y ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
+@@ -281,7 +295,8 @@ imageop_grey2grey4(PyObject *self, PyObj
+ if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ return 0;
+
+- if ( x*y != len ) {
++ /* ( x*y != len ) */
++ if ( x != len / y ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
+@@ -320,7 +335,8 @@ imageop_grey2grey2(PyObject *self, PyObj
+ if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ return 0;
+
+- if ( x*y != len ) {
++ /* ( x*y != len ) */
++ if ( x != len / y ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
+@@ -358,7 +374,8 @@ imageop_dither2mono(PyObject *self, PyOb
+ if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ return 0;
+
+- if ( x*y != len ) {
++ /* ( x*y != len ) */
++ if ( x != len / y ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
+@@ -404,7 +421,8 @@ imageop_dither2grey2(PyObject *self, PyO
+ if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
+ return 0;
+
+- if ( x*y != len ) {
++ /* ( x*y != len ) */
++ if ( x != len / y ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+ }
+@@ -443,7 +461,11 @@ imageop_mono2grey(PyObject *self, PyObje
+ if ( !PyArg_ParseTuple(args, "s#iiii", &cp, &len, &x, &y, &v0, &v1) )
+ return 0;
+
+- nlen = x*y;
++ nlen = x*y;
++ if ( x != (nlen / y) ) {
++ PyErr_SetString(ImageopError, "String has incorrect length");
++ return 0;
++ }
+ if ( (nlen+7)/8 != len ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+@@ -481,6 +503,10 @@ imageop_grey22grey(PyObject *self, PyObj
+ return 0;
+
+ nlen = x*y;
++ if ( x != (nlen / y) ) {
++ PyErr_SetString(ImageopError, "String has incorrect length");
++ return 0;
++ }
+ if ( (nlen+3)/4 != len ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+@@ -517,6 +543,10 @@ imageop_grey42grey(PyObject *self, PyObj
+ return 0;
+
+ nlen = x*y;
++ if ( x != (nlen / y) ) {
++ PyErr_SetString(ImageopError, "String has incorrect length");
++ return 0;
++ }
+ if ( (nlen+1)/2 != len ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+@@ -554,6 +584,10 @@ imageop_rgb2rgb8(PyObject *self, PyObjec
+ return 0;
+
+ nlen = x*y;
++ if ( x != (nlen / y) ) {
++ PyErr_SetString(ImageopError, "String has incorrect length");
++ return 0;
++ }
+ if ( nlen*4 != len ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+@@ -598,6 +632,10 @@ imageop_rgb82rgb(PyObject *self, PyObjec
+ return 0;
+
+ nlen = x*y;
++ if ( x != (nlen / y) ) {
++ PyErr_SetString(ImageopError, "String has incorrect length");
++ return 0;
++ }
+ if ( nlen != len ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+@@ -648,6 +686,10 @@ imageop_rgb2grey(PyObject *self, PyObjec
+ return 0;
+
+ nlen = x*y;
++ if ( x != (nlen / y) ) {
++ PyErr_SetString(ImageopError, "String has incorrect length");
++ return 0;
++ }
+ if ( nlen*4 != len ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+@@ -693,6 +735,10 @@ imageop_grey2rgb(PyObject *self, PyObjec
+ return 0;
+
+ nlen = x*y;
++ if ( x != (nlen / y) ) {
++ PyErr_SetString(ImageopError, "String has incorrect length");
++ return 0;
++ }
+ if ( nlen != len ) {
+ PyErr_SetString(ImageopError, "String has incorrect length");
+ return 0;
+diff -rup Python-2.5-orig/Modules/rgbimgmodule.c Python-2.5/Modules/rgbimgmodule.c
+--- Python-2.5-orig/Modules/rgbimgmodule.c 2006-08-11 23:18:50.000000000 -0400
++++ Python-2.5/Modules/rgbimgmodule.c 2007-09-19 17:00:06.000000000 -0400
+@@ -299,6 +299,11 @@ longimagedata(PyObject *self, PyObject *
+ xsize = image.xsize;
+ ysize = image.ysize;
+ zsize = image.zsize;
++ tablen = xsize * ysize * zsize * sizeof(Py_Int32);
++ if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
++ PyErr_NoMemory();
++ goto finally;
++ }
+ if (rle) {
+ tablen = ysize * zsize * sizeof(Py_Int32);
+ starttab = (Py_Int32 *)malloc(tablen);
generated by cgit v0.12 at 2024-05-29 15:00:48 (GMT)