fix security issue 2: imageop's poor validation of arguments could result in segfaults

patch by Victor Stinner reviewed by myself and Brett

fix security issue 2: imageop's poor validation of arguments could result in segfaults
patch by Victor Stinner reviewed by myself and Brett
8d77d448 · Benjamin Peterson · 37040cda · 8d77d448 · 8d77d448 · 8d77d448
Kaydet (Commit) 8d77d448 authored Eyl 30, 2008 tarafından Benjamin Peterson
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 66 additions and 2 deletions

test_imageop.py Lib/test/test_imageop.py +63 -2

NEWS Misc/NEWS +3 -0

imageop.c Modules/imageop.c +0 -0

No files found.
--- a/Lib/test/test_imageop.py
+++ b/Lib/test/test_imageop.py
@@ -5,13 +5,74 @@
   Roger E. Masse
 """

-from test.test_support import verbose, unlink, import_module
+from test.test_support import verbose, unlink, import_module, run_unittest

 imageop = import_module('imageop', deprecated=True)
-import uu, os, imgfile
+import uu, os, unittest
+
+
+SIZES = (1, 2, 3, 4)
+_VALUES = (1, 2, 2**10, 2**15-1, 2**15, 2**15+1, 2**31-2, 2**31-1)
+VALUES = tuple( -x for x in reversed(_VALUES) ) + (0,) + _VALUES
+AAAAA = "A" * 1024
+
+
+class InputValidationTests(unittest.TestCase):
+
+    def _check(self, name, size=None, *extra):
+        func = getattr(imageop, name)
+        for height in VALUES:
+            for width in VALUES:
+                strlen = abs(width * height)
+                if size:
+                    strlen *= size
+                if strlen < 1024:
+                    data = "A" * strlen
+                else:
+                    data = AAAAA
+                if size:
+                    arguments = (data, size, width, height) + extra
+                else:
+                    arguments = (data, width, height) + extra
+                try:
+                    func(*arguments)
+                except (ValueError, imageop.error):
+                    pass
+
+    def check_size(self, name, *extra):
+        for size in SIZES:
+            self._check(name, size, *extra)
+
+    def check(self, name, *extra):
+        self._check(name, None, *extra)
+
+    def test_input_validation(self):
+        self.check_size("crop", 0, 0, 0, 0)
+        self.check_size("scale", 1, 0)
+        self.check_size("scale", -1, -1)
+        self.check_size("tovideo")
+        self.check("grey2mono", 128)
+        self.check("grey2grey4")
+        self.check("grey2grey2")
+        self.check("dither2mono")
+        self.check("dither2grey2")
+        self.check("mono2grey", 0, 0)
+        self.check("grey22grey")
+        self.check("rgb2rgb8") # nlen*4 == len
+        self.check("rgb82rgb")
+        self.check("rgb2grey")
+        self.check("grey2rgb")
+

 def test_main():

+    run_unittest(InputValidationTests)
+
+    try:
+        import imgfile
+    except ImportError:
+        return
+
    # Create binary test files
    uu.decode(get_qualified_path('testrgb'+os.extsep+'uue'), 'test'+os.extsep+'rgb')


--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -54,6 +54,9 @@ Core and Builtins
 Extension Modules
 -----------------

+- Security Issue #2: imageop did not validate arguments correctly and could
+  segfault as a result.
+
 - Issue #3886: Possible integer overflows in the _hashopenssl module were
  closed.


--- a/Modules/imageop.c
+++ b/Modules/imageop.c