Bump Version/Changelog

J2k DOS fix -- CVE-2014-3598
Found and reported by Andrew Drake of dropbox.com
2014-08-14 15:38:52 -07:00 · 2014-08-14 15:38:12 -07:00 · 2014-08-12 11:44:56 -07:00 · 2014-08-12 11:38:52 -07:00 · 2014-07-24 22:23:27 -07:00 · 2014-07-24 22:23:11 -07:00
14 changed files with 96 additions and 14 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -1,6 +1,28 @@
 Changelog (Pillow)
 ==================
 2.5.3 (2014-08-18)
 ------------------
 - Fixed CVE-2014-3598, a DOS in the Jpeg2KImagePlugin
  [Andrew Drake]
 2.5.2 (2014-08-13)
 ------------------
 - Fixed CVE-2014-3589, a DOS in the IcnsImagePlugin
  [Andrew Drake]
 2.5.1 (2014-07-10)
 ------------------
 - Fixed install issue if Multiprocessing.Pool is not available
  [wiredfool]
 - 32bit mult overflow fix #782
  [wiredfool]
 2.5.0 (2014-07-01)
 ------------------
--- a/PIL/IcnsImagePlugin.py
+++ b/PIL/IcnsImagePlugin.py
@ -179,6 +179,8 @@ class IcnsFile:
        i = HEADERSIZE
        while i < filesize:
            sig, blocksize = nextheader(fobj)
            if blocksize <= 0:
                raise SyntaxError('invalid block header')
            i += HEADERSIZE
            blocksize -= HEADERSIZE
            dct[sig] = (i, blocksize)
--- a/PIL/Jpeg2KImagePlugin.py
+++ b/PIL/Jpeg2KImagePlugin.py
@ -70,6 +70,9 @@ def _parse_jp2_header(fp):
        else:
            hlen = 8
        if lbox < hlen:
            raise SyntaxError('Invalid JP2 header length')
        if tbox == b'jp2h':
            header = fp.read(lbox - hlen)
            break
--- a/PIL/init.py
+++ b/PIL/init.py
@ -12,7 +12,7 @@
 # ;-)
 VERSION = '1.1.7'  # PIL version
-PILLOW_VERSION = '2.5.0' # Pillow
+PILLOW_VERSION = '2.5.3' # Pillow
 _plugins = ['BmpImagePlugin',
            'BufrStubImagePlugin',
--- a/Tests/check_icns_dos.py
+++ b/Tests/check_icns_dos.py
@ -0,0 +1,10 @@
 # Tests potential DOS of IcnsImagePlugin with 0 length block.
 # Run from anywhere that PIL is importable. 
 from PIL import Image
 from io import BytesIO
 if bytes is str:
    Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00')))
 else:
    Image.open(BytesIO(bytes('icns\x00\x00\x00\x10hang\x00\x00\x00\x00', 'latin-1')))
--- a/Tests/check_j2k_dos.py
+++ b/Tests/check_j2k_dos.py
@ -0,0 +1,11 @@
 # Tests potential DOS of Jpeg2kImagePlugin with 0 length block.
 # Run from anywhere that PIL is importable. 
 from PIL import Image
 from io import BytesIO
 if bytes is str:
    Image.open(BytesIO(bytes('\x00\x00\x00\x0cjP\x20\x20\x0d\x0a\x87\x0a\x00\x00\x00\x00hang')))
 else:
    Image.open(BytesIO(bytes('\x00\x00\x00\x0cjP\x20\x20\x0d\x0a\x87\x0a\x00\x00\x00\x00hang', 'latin-1')))
--- a/Tests/helper.py
+++ b/Tests/helper.py
@ -123,6 +123,21 @@ class PillowTestCase(unittest.TestCase):
            self.assertTrue(found)
        return result
    def skipKnownBadTest(self, msg=None, platform=None, travis=None):
        # Skip if platform/travis matches, and
        # PILLOW_RUN_KNOWN_BAD is not true in the environment.
        if bool(os.environ.get('PILLOW_RUN_KNOWN_BAD', False)):
            print (os.environ.get('PILLOW_RUN_KNOWN_BAD', False))
            return
        skip = True
        if platform is not None:
            skip = sys.platform.startswith(platform)
        if travis is not None:
            skip = skip and (travis == bool(os.environ.get('TRAVIS',False)))
        if skip:
            self.skipTest(msg or "Known Bad Test")
    def tempfile(self, template):
        assert template[:5] in ("temp.", "temp_")
        (fd, path) = tempfile.mkstemp(template[4:], template[:4])
--- a/Tests/test_file_icns.py
+++ b/Tests/test_file_icns.py
@ -57,6 +57,10 @@ class TestFileIcns(PillowTestCase):
        if not enable_jpeg2k:
            return
        self.skipKnownBadTest("Jpeg2000 hangs on Travis on OSX",
                              platform='darwin',
                              travis=True)
        im = Image.open('Tests/images/pillow3.icns')
        for w, h, r in im.info['sizes']:
            wr = w * r
--- a/Tests/test_file_jpeg2k.py
+++ b/Tests/test_file_jpeg2k.py
@ -18,6 +18,9 @@ class TestFileJpeg2k(PillowTestCase):
    def setUp(self):
        if "jpeg2k_encoder" not in codecs or "jpeg2k_decoder" not in codecs:
            self.skipTest('JPEG 2000 support not available')
        self.skipKnownBadTest("Jpeg2000 hangs on Travis on OSX",
                              platform='darwin',
                              travis=True)
    def roundtrip(self, im, **options):
        out = BytesIO()
--- a/_imaging.c
+++ b/_imaging.c
@ -71,7 +71,7 @@
 * See the README file for information on usage and redistribution.
 */
-#define PILLOW_VERSION "2.5.0"
+#define PILLOW_VERSION "2.5.3"
 #include "Python.h"
--- a/libImaging/ImPlatform.h
+++ b/libImaging/ImPlatform.h
@ -69,4 +69,6 @@
 #define	FLOAT32 float
 #define	FLOAT64 double
-
+#ifdef _MSC_VER
 typedef signed __int64       int64_t;
 #endif
--- a/libImaging/Storage.c
+++ b/libImaging/Storage.c
@ -379,7 +379,7 @@ ImagingNew(const char* mode, int xsize, int ysize)
    } else
        bytes = strlen(mode); /* close enough */
-    if ((Py_ssize_t) xsize * ysize * bytes <= THRESHOLD) {
+    if ((int64_t) xsize * (int64_t) ysize * bytes <= THRESHOLD) {
        im = ImagingNewBlock(mode, xsize, ysize);
        if (im)
            return im;
--- a/mp_compile.py
+++ b/mp_compile.py
@ -5,6 +5,11 @@ from multiprocessing import Pool, cpu_count
 from distutils.ccompiler import CCompiler
 import os
 try:
    MAX_PROCS = int(os.environ.get('MAX_CONCURRENCY', cpu_count()))
 except:
    MAX_PROCS = None
 # hideous monkeypatching.  but. but. but.
 def _mp_compile_one(tp):
@ -31,22 +36,27 @@ def _mp_compile(self, sources, output_dir=None, macros=None,
        output_dir, macros, include_dirs, sources, depends, extra_postargs)
    cc_args = self._get_cc_args(pp_opts, debug, extra_preargs)
-    try:
+    pool = Pool(MAX_PROCS)
        max_procs = int(os.environ.get('MAX_CONCURRENCY', cpu_count()))
    except:
        max_procs = None
    pool = Pool(max_procs)
    try:
        print ("Building using %d processes" % pool._processes)
    except:
        pass
-    arr = [
+    arr = [(self, obj, build, cc_args, extra_postargs, pp_opts)
-        (self, obj, build, cc_args, extra_postargs, pp_opts) for obj in objects
+           for obj in objects]
        ]
    pool.map_async(_mp_compile_one, arr)
    pool.close()
    pool.join()
    # Return *all* object filenames, not just the ones we just built.
    return objects
-CCompiler.compile = _mp_compile
+# explicitly don't enable if environment says 1 processor
 if MAX_PROCS != 1:
    try:
        # bug, only enable if we can make a Pool. see issue #790 and
        # http://stackoverflow.com/questions/6033599/oserror-38-errno-38-with-multiprocessing
        pool = Pool(2)
        CCompiler.compile = _mp_compile
    except Exception as msg:
        print("Exception installing mp_compile, proceeding without: %s" %msg)
 else:
    print("Single threaded build, not installing mp_compile: %s processes" %MAX_PROCS)
--- a/setup.py
+++ b/setup.py
@ -90,7 +90,7 @@ except (ImportError, OSError):
 NAME = 'Pillow'
-PILLOW_VERSION = '2.5.0'
+PILLOW_VERSION = '2.5.3'
 TCL_ROOT = None
 JPEG_ROOT = None
 JPEG2K_ROOT = None
Author	SHA1	Message	Date
wiredfool	68c6904c28	Bump Version/Changelog	2014-08-14 15:38:52 -07:00
wiredfool	05a169d65c	J2k DOS fix -- CVE-2014-3598 Found and reported by Andrew Drake of dropbox.com	2014-08-14 15:38:12 -07:00
wiredfool	4081f9f6a5	Bump Versions/Changelog	2014-08-12 11:44:56 -07:00
wiredfool	d47611e6fb	Icns DOS fix -- CVE-2014-3589 Found and reported by Andrew Drake of dropbox.com	2014-08-12 11:38:52 -07:00
wiredfool	fa7817a4d3	Known Bad tests -- skipping jpeg2k tests on travis on OSX	2014-07-24 22:23:27 -07:00
wiredfool	a029e5da93	Skip Known Bad Tests	2014-07-24 22:23:11 -07:00
Alex Clark	1ab78b8fb7	Bump [ci skip]	2014-07-10 17:54:59 -04:00
Alex Clark ☺	43883a9928	Merge pull request #792 from wiredfool/2.5.x Release 2.5.1	2014-07-10 17:52:20 -04:00
wiredfool	ef041675a2	Bump the versions	2014-07-08 12:44:51 -07:00
wiredfool	cacc11eaed	Updated CHANGES.rst	2014-07-08 12:24:06 -07:00
Eric Soroos	fb51604296	Don't install mp_compile if multiprocessing.Pool() fails, or if 1 process is going to be used	2014-07-08 12:17:01 -07:00
wiredfool	07c68e2d68	Windows compatibility	2014-07-08 12:16:21 -07:00
wiredfool	d06072ff46	Multiplication needs to be 64bit, to handle overflow regardless of the bittedness of the machine, fixes #771#	2014-07-08 12:16:05 -07:00