Version in base suite: 5.4.1-2 Base version: pillow_5.4.1-2 Target version: pillow_5.4.1-2+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pillow/pillow_5.4.1-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pillow/pillow_5.4.1-2+deb10u1.dsc /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/combined_larger_than_size.psd |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/decompression_bomb.gif |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/decompression_bomb.ico |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/fli_overrun.bin |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/fli_overrun2.bin |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/input_bw_five_bands.fpx |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/pcx_overrun.bin |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/pcx_overrun2.bin |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/raw_negative_stride.bin |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/sgi_overrun.bin |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/sgi_overrun_expandrow.bin |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/sgi_overrun_expandrow2.bin |binary /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/string_dimension.tiff |binary pillow-5.4.1/debian/changelog | 6 pillow-5.4.1/debian/patches/CVE-2019-16865.patch | 236 ++++++++++ pillow-5.4.1/debian/patches/CVE-2019-19911.patch | 33 + pillow-5.4.1/debian/patches/CVE-2020-5311.patch | 86 +++ pillow-5.4.1/debian/patches/CVE-2020-5312.patch | 23 pillow-5.4.1/debian/patches/CVE-2020-5313.patch | 39 + pillow-5.4.1/debian/patches/series | 5 pillow-5.4.1/debian/source/include-binaries | 13 21 files changed, 441 insertions(+) Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/combined_larger_than_size.psd and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/combined_larger_than_size.psd differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/decompression_bomb.gif and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/decompression_bomb.gif differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/decompression_bomb.ico and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/decompression_bomb.ico differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/fli_overrun.bin and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/fli_overrun.bin differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/fli_overrun2.bin and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/fli_overrun2.bin differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/input_bw_five_bands.fpx and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/input_bw_five_bands.fpx differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/pcx_overrun.bin and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/pcx_overrun.bin differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/pcx_overrun2.bin and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/pcx_overrun2.bin differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/raw_negative_stride.bin and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/raw_negative_stride.bin differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/sgi_overrun.bin and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/sgi_overrun.bin differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/sgi_overrun_expandrow.bin and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/sgi_overrun_expandrow.bin differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/sgi_overrun_expandrow2.bin and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/sgi_overrun_expandrow2.bin differ Binary files /srv/release.debian.org/tmp/0K9l3LM7eq/pillow-5.4.1/Tests/images/string_dimension.tiff and /srv/release.debian.org/tmp/YWzqnMvt10/pillow-5.4.1/Tests/images/string_dimension.tiff differ diff -Nru pillow-5.4.1/debian/changelog pillow-5.4.1/debian/changelog --- pillow-5.4.1/debian/changelog 2019-04-07 00:53:28.000000000 +0000 +++ pillow-5.4.1/debian/changelog 2020-02-06 19:47:20.000000000 +0000 @@ -1,3 +1,9 @@ +pillow (5.4.1-2+deb10u1) buster-security; urgency=medium + + * CVE-2019-16865 CVE-2019-19911 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313 + + -- Moritz Mühlenhoff Thu, 06 Feb 2020 20:47:20 +0100 + pillow (5.4.1-2) unstable; urgency=medium * Allow for unknown PNG chunks after image data. Closes: #926552. diff -Nru pillow-5.4.1/debian/patches/CVE-2019-16865.patch pillow-5.4.1/debian/patches/CVE-2019-16865.patch --- pillow-5.4.1/debian/patches/CVE-2019-16865.patch 1970-01-01 00:00:00.000000000 +0000 +++ pillow-5.4.1/debian/patches/CVE-2019-16865.patch 2020-02-06 19:10:10.000000000 +0000 @@ -0,0 +1,236 @@ +--- pillow-5.4.1.orig/Tests/test_decompression_bomb.py ++++ pillow-5.4.1/Tests/test_decompression_bomb.py +@@ -15,6 +15,7 @@ class TestDecompressionBomb(PillowTestCa + def test_no_warning_small_file(self): + # Implicit assert: no warning. + # A warning would cause a failure. ++ Image.MAX_IMAGE_PIXELS = ORIGINAL_LIMIT + Image.open(TEST_FILE) + + def test_no_warning_no_limit(self): +@@ -44,6 +45,14 @@ class TestDecompressionBomb(PillowTestCa + self.assertRaises(Image.DecompressionBombError, + lambda: Image.open(TEST_FILE)) + ++ def test_exception_ico(self): ++ with self.assertRaises(Image.DecompressionBombError): ++ Image.open("Tests/images/decompression_bomb.ico") ++ ++ def test_exception_gif(self): ++ with self.assertRaises(Image.DecompressionBombError): ++ Image.open("Tests/images/decompression_bomb.gif") ++ + + class TestDecompressionCrop(PillowTestCase): + +--- pillow-5.4.1.orig/Tests/test_file_psd.py ++++ pillow-5.4.1/Tests/test_file_psd.py +@@ -77,6 +77,14 @@ class TestImagePsd(PillowTestCase): + + self.assertNotIn("icc_profile", im.info) + ++ def test_combined_larger_than_size(self): ++ # The 'combined' sizes of the individual parts is larger than the ++ # declared 'size' of the extra data field, resulting in a backwards seek. ++ ++ # If we instead take the 'size' of the extra data field as the source of truth, ++ # then the seek can't be negative ++ with self.assertRaises(IOError): ++ Image.open("Tests/images/combined_larger_than_size.psd") + + if __name__ == '__main__': + unittest.main() +--- pillow-5.4.1.orig/Tests/test_file_tiff.py ++++ pillow-5.4.1/Tests/test_file_tiff.py +@@ -541,6 +541,11 @@ class TestFileTiff(PillowTestCase): + im.load() + self.assertFalse(fp.closed) + ++ def test_string_dimension(self): ++ # Assert that an error is raised if one of the dimensions is a string ++ with self.assertRaises(ValueError): ++ Image.open("Tests/images/string_dimension.tiff") ++ + + @unittest.skipUnless(sys.platform.startswith('win32'), "Windows only") + class TestFileTiffW32(PillowTestCase): +--- pillow-5.4.1.orig/Tests/test_image.py ++++ pillow-5.4.1/Tests/test_image.py +@@ -532,6 +532,15 @@ class TestImage(PillowTestCase): + with Image.open(test_file) as im: + self.assert_warning(None, im.save, temp_file) + ++ def test_overrun(self): ++ for file in ["fli_overrun.bin", "sgi_overrun.bin", "pcx_overrun.bin"]: ++ im = Image.open(os.path.join("Tests/images", file)) ++ try: ++ im.load() ++ self.assertFail() ++ except IOError as e: ++ self.assertEqual(str(e), "buffer overrun when reading image file") ++ + + class MockEncoder(object): + pass +--- pillow-5.4.1.orig/Tests/test_imagefile.py ++++ pillow-5.4.1/Tests/test_imagefile.py +@@ -100,6 +100,14 @@ class TestImageFile(PillowTestCase): + parser = ImageFile.Parser() + parser.feed(1) + ++ def test_negative_stride(self): ++ with open("Tests/images/raw_negative_stride.bin", "rb") as f: ++ input = f.read() ++ p = ImageFile.Parser() ++ p.feed(input) ++ with self.assertRaises(IOError): ++ p.close() ++ + def test_truncated_with_errors(self): + if "zip_encoder" not in codecs: + self.skipTest("PNG (zlib) encoder not available") +--- pillow-5.4.1.orig/src/PIL/GifImagePlugin.py ++++ pillow-5.4.1/src/PIL/GifImagePlugin.py +@@ -258,6 +258,7 @@ class GifImageFile(ImageFile.ImageFile): + self.dispose = None + elif self.disposal_method == 2: + # replace with background colour ++ Image._decompression_bomb_check(self.size) + self.dispose = Image.core.fill("P", self.size, + self.info["background"]) + else: +--- pillow-5.4.1.orig/src/PIL/IcoImagePlugin.py ++++ pillow-5.4.1/src/PIL/IcoImagePlugin.py +@@ -167,6 +167,7 @@ class IcoFile(object): + else: + # XOR + AND mask bmp frame + im = BmpImagePlugin.DibImageFile(self.buf) ++ Image._decompression_bomb_check(im.size) + + # change tile dimension to only encompass XOR image + im._size = (im.size[0], int(im.size[1] / 2)) +--- pillow-5.4.1.orig/src/PIL/PsdImagePlugin.py ++++ pillow-5.4.1/src/PIL/PsdImagePlugin.py +@@ -209,9 +209,11 @@ def _layerinfo(file): + # skip over blend flags and extra information + read(12) # filler + name = "" +- size = i32(read(4)) ++ size = i32(read(4)) # length of the extra data field + combined = 0 + if size: ++ data_end = file.tell() + size ++ + length = i32(read(4)) + if length: + file.seek(length - 16, 1) +@@ -229,7 +231,7 @@ def _layerinfo(file): + name = read(length).decode('latin-1', 'replace') + combined += length + 1 + +- file.seek(size - combined, 1) ++ file.seek(data_end) + layers.append((name, mode, (x0, y0, x1, y1))) + + # get tiles +--- pillow-5.4.1.orig/src/PIL/TiffImagePlugin.py ++++ pillow-5.4.1/src/PIL/TiffImagePlugin.py +@@ -1197,8 +1197,8 @@ class TiffImageFile(ImageFile.ImageFile) + print("- YCbCr subsampling:", self.tag.get(530)) + + # size +- xsize = self.tag_v2.get(IMAGEWIDTH) +- ysize = self.tag_v2.get(IMAGELENGTH) ++ xsize = int(self.tag_v2.get(IMAGEWIDTH)) ++ ysize = int(self.tag_v2.get(IMAGELENGTH)) + self._size = xsize, ysize + + if DEBUG: +--- pillow-5.4.1.orig/src/libImaging/FliDecode.c ++++ pillow-5.4.1/src/libImaging/FliDecode.c +@@ -30,7 +30,7 @@ ImagingFliDecode(Imaging im, ImagingCode + { + UINT8* ptr; + int framesize; +- int c, chunks; ++ int c, chunks, advance; + int l, lines; + int i, j, x = 0, y, ymax; + +@@ -59,10 +59,16 @@ ImagingFliDecode(Imaging im, ImagingCode + + chunks = I16(ptr+6); + ptr += 16; ++ bytes -= 16; + + /* Process subchunks */ + for (c = 0; c < chunks; c++) { +- UINT8 *data = ptr + 6; ++ UINT8* data; ++ if (bytes < 10) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } ++ data = ptr + 6; + switch (I16(ptr+4)) { + case 4: case 11: + /* FLI COLOR chunk */ +@@ -198,7 +204,9 @@ ImagingFliDecode(Imaging im, ImagingCode + state->errcode = IMAGING_CODEC_UNKNOWN; + return -1; + } +- ptr += I32(ptr); ++ advance = I32(ptr); ++ ptr += advance; ++ bytes -= advance; + } + + return -1; /* end of frame */ +--- pillow-5.4.1.orig/src/libImaging/PcxDecode.c ++++ pillow-5.4.1/src/libImaging/PcxDecode.c +@@ -22,6 +22,11 @@ ImagingPcxDecode(Imaging im, ImagingCode + UINT8 n; + UINT8* ptr; + ++ if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } ++ + ptr = buf; + + for (;;) { +--- pillow-5.4.1.orig/src/libImaging/RawDecode.c ++++ pillow-5.4.1/src/libImaging/RawDecode.c +@@ -33,8 +33,15 @@ ImagingRawDecode(Imaging im, ImagingCode + + /* get size of image data and padding */ + state->bytes = (state->xsize * state->bits + 7) / 8; +- rawstate->skip = (rawstate->stride) ? +- rawstate->stride - state->bytes : 0; ++ if (rawstate->stride) { ++ rawstate->skip = rawstate->stride - state->bytes; ++ if (rawstate->skip < 0) { ++ state->errcode = IMAGING_CODEC_CONFIG; ++ return -1; ++ } ++ } else { ++ rawstate->skip = 0; ++ } + + /* check image orientation */ + if (state->ystep < 0) { +--- pillow-5.4.1.orig/src/libImaging/SgiRleDecode.c ++++ pillow-5.4.1/src/libImaging/SgiRleDecode.c +@@ -156,6 +156,11 @@ ImagingSgiRleDecode(Imaging im, ImagingC + c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize]; + c->rleoffset -= SGI_HEADER_SIZE; + ++ if (c->rleoffset + c->rlelength > c->bufsize) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } ++ + /* row decompression */ + if (c->bpc ==1) { + if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands)) diff -Nru pillow-5.4.1/debian/patches/CVE-2019-19911.patch pillow-5.4.1/debian/patches/CVE-2019-19911.patch --- pillow-5.4.1/debian/patches/CVE-2019-19911.patch 1970-01-01 00:00:00.000000000 +0000 +++ pillow-5.4.1/debian/patches/CVE-2019-19911.patch 2020-02-06 19:11:02.000000000 +0000 @@ -0,0 +1,33 @@ + +--- pillow-5.4.1.orig/Tests/test_file_fpx.py ++++ pillow-5.4.1/Tests/test_file_fpx.py +@@ -1,3 +1,5 @@ ++from PIL import Image ++ + from helper import unittest, PillowTestCase + + try: +@@ -22,6 +24,9 @@ class TestFileFpx(PillowTestCase): + self.assertRaises(SyntaxError, + FpxImagePlugin.FpxImageFile, ole_file) + ++ def test_fpx_invalid_number_of_bands(self): ++ with self.assertRaisesRegex(IOError, "Invalid number of bands"): ++ Image.open("Tests/images/input_bw_five_bands.fpx") + + if __name__ == '__main__': + unittest.main() +--- pillow-5.4.1.orig/src/PIL/FpxImagePlugin.py ++++ pillow-5.4.1/src/PIL/FpxImagePlugin.py +@@ -101,7 +101,10 @@ class FpxImageFile(ImageFile.ImageFile): + s = prop[0x2000002 | id] + + colors = [] +- for i in range(i32(s, 4)): ++ bands = i32(s, 4) ++ if bands > 4: ++ raise IOError("Invalid number of bands") ++ for i in range(bands): + # note: for now, we ignore the "uncalibrated" flag + colors.append(i32(s, 8+i*4) & 0x7fffffff) + diff -Nru pillow-5.4.1/debian/patches/CVE-2020-5311.patch pillow-5.4.1/debian/patches/CVE-2020-5311.patch --- pillow-5.4.1/debian/patches/CVE-2020-5311.patch 1970-01-01 00:00:00.000000000 +0000 +++ pillow-5.4.1/debian/patches/CVE-2020-5311.patch 2020-02-06 19:11:42.000000000 +0000 @@ -0,0 +1,86 @@ +--- pillow-5.4.1.orig/Tests/test_image.py ++++ pillow-5.4.1/Tests/test_image.py +@@ -533,7 +533,13 @@ class TestImage(PillowTestCase): + self.assert_warning(None, im.save, temp_file) + + def test_overrun(self): +- for file in ["fli_overrun.bin", "sgi_overrun.bin", "pcx_overrun.bin"]: ++ for file in [ ++ "fli_overrun.bin", ++ "sgi_overrun.bin", ++ "pcx_overrun.bin", ++ "sgi_overrun_expandrow.bin", ++ "sgi_overrun_expandrow2.bin", ++ ]: + im = Image.open(os.path.join("Tests/images", file)) + try: + im.load() +--- pillow-5.4.1.orig/src/libImaging/SgiRleDecode.c ++++ pillow-5.4.1/src/libImaging/SgiRleDecode.c +@@ -25,7 +25,7 @@ static void read4B(UINT32* dest, UINT8* + *dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]); + } + +-static int expandrow(UINT8* dest, UINT8* src, int n, int z) ++static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize) + { + UINT8 pixel, count; + +@@ -37,6 +37,9 @@ static int expandrow(UINT8* dest, UINT8* + count = pixel & RLE_MAX_RUN; + if (!count) + return count; ++ if (count > xsize) { ++ return -1; ++ } + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; +@@ -56,7 +59,7 @@ static int expandrow(UINT8* dest, UINT8* + return 0; + } + +-static int expandrow2(UINT16* dest, UINT16* src, int n, int z) ++static int expandrow2(UINT8* dest, const UINT8* src, int n, int z, int xsize) + { + UINT8 pixel, count; + +@@ -70,6 +73,9 @@ static int expandrow2(UINT16* dest, UINT + count = pixel & RLE_MAX_RUN; + if (!count) + return count; ++ if (count > xsize) { ++ return -1; ++ } + if (pixel & RLE_COPY_FLAG) { + while(count--) { + *dest = *src++; +@@ -95,6 +101,7 @@ ImagingSgiRleDecode(Imaging im, ImagingC + UINT8 *ptr; + SGISTATE *c; + int err = 0; ++ int status; + + /* Get all data from File descriptor */ + c = (SGISTATE*)state->context; +@@ -163,12 +170,16 @@ ImagingSgiRleDecode(Imaging im, ImagingC + + /* row decompression */ + if (c->bpc ==1) { +- if(expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands)) +- goto sgi_finish_decode; ++ status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize); + } + else { +- if(expandrow2((UINT16*)&state->buffer[c->channo * 2], (UINT16*)&ptr[c->rleoffset], c->rlelength, im->bands)) +- goto sgi_finish_decode; ++ status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize); ++ } ++ if (status == -1) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } else if (status == 1) { ++ goto sgi_finish_decode; + } + + state->count += c->rlelength; diff -Nru pillow-5.4.1/debian/patches/CVE-2020-5312.patch pillow-5.4.1/debian/patches/CVE-2020-5312.patch --- pillow-5.4.1/debian/patches/CVE-2020-5312.patch 1970-01-01 00:00:00.000000000 +0000 +++ pillow-5.4.1/debian/patches/CVE-2020-5312.patch 2020-02-06 19:12:14.000000000 +0000 @@ -0,0 +1,23 @@ +--- pillow-5.4.1.orig/Tests/test_image.py ++++ pillow-5.4.1/Tests/test_image.py +@@ -539,6 +539,8 @@ class TestImage(PillowTestCase): + "pcx_overrun.bin", + "sgi_overrun_expandrow.bin", + "sgi_overrun_expandrow2.bin", ++ "pcx_overrun.bin", ++ "pcx_overrun2.bin", + ]: + im = Image.open(os.path.join("Tests/images", file)) + try: +--- pillow-5.4.1.orig/src/libImaging/PcxDecode.c ++++ pillow-5.4.1/src/libImaging/PcxDecode.c +@@ -25,6 +25,9 @@ ImagingPcxDecode(Imaging im, ImagingCode + if (strcmp(im->mode, "1") == 0 && state->xsize > state->bytes * 8) { + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; ++ } else if (strcmp(im->mode, "P") == 0 && state->xsize > state->bytes) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; + } + + ptr = buf; diff -Nru pillow-5.4.1/debian/patches/CVE-2020-5313.patch pillow-5.4.1/debian/patches/CVE-2020-5313.patch --- pillow-5.4.1/debian/patches/CVE-2020-5313.patch 1970-01-01 00:00:00.000000000 +0000 +++ pillow-5.4.1/debian/patches/CVE-2020-5313.patch 2020-02-06 19:12:39.000000000 +0000 @@ -0,0 +1,39 @@ +--- pillow-5.4.1.orig/Tests/test_image.py ++++ pillow-5.4.1/Tests/test_image.py +@@ -549,6 +549,13 @@ class TestImage(PillowTestCase): + except IOError as e: + self.assertEqual(str(e), "buffer overrun when reading image file") + ++ with Image.open("Tests/images/fli_overrun2.bin") as im: ++ try: ++ im.seek(1) ++ self.assertFail() ++ except IOError as e: ++ self.assertEqual(str(e), "buffer overrun when reading image file") ++ + + class MockEncoder(object): + pass +--- pillow-5.4.1.orig/src/libImaging/FliDecode.c ++++ pillow-5.4.1/src/libImaging/FliDecode.c +@@ -40,8 +40,7 @@ ImagingFliDecode(Imaging im, ImagingCode + return 0; + + /* We don't decode anything unless we have a full chunk in the +- input buffer (on the other hand, the Python part of the driver +- makes sure this is always the case) */ ++ input buffer */ + + ptr = buf; + +@@ -52,6 +51,10 @@ ImagingFliDecode(Imaging im, ImagingCode + /* Make sure this is a frame chunk. The Python driver takes + case of other chunk types. */ + ++ if (bytes < 8) { ++ state->errcode = IMAGING_CODEC_OVERRUN; ++ return -1; ++ } + if (I16(ptr+4) != 0xF1FA) { + state->errcode = IMAGING_CODEC_UNKNOWN; + return -1; diff -Nru pillow-5.4.1/debian/patches/series pillow-5.4.1/debian/patches/series --- pillow-5.4.1/debian/patches/series 2019-04-07 00:53:28.000000000 +0000 +++ pillow-5.4.1/debian/patches/series 2020-02-06 19:12:35.000000000 +0000 @@ -2,3 +2,8 @@ generate-webp-file js-script-file.diff 4e0a73b4faf4c0b16c6b3912b64f4ad7a6c99acf.diff +CVE-2019-16865.patch +CVE-2019-19911.patch +CVE-2020-5311.patch +CVE-2020-5312.patch +CVE-2020-5313.patch diff -Nru pillow-5.4.1/debian/source/include-binaries pillow-5.4.1/debian/source/include-binaries --- pillow-5.4.1/debian/source/include-binaries 2014-10-02 12:42:08.000000000 +0000 +++ pillow-5.4.1/debian/source/include-binaries 2020-02-06 19:47:20.000000000 +0000 @@ -1 +1,14 @@ Tests/images/tga_id_field.tga +Tests/images/combined_larger_than_size.psd +Tests/images/decompression_bomb.gif +Tests/images/decompression_bomb.ico +Tests/images/fli_overrun.bin +Tests/images/fli_overrun2.bin +Tests/images/input_bw_five_bands.fpx +Tests/images/pcx_overrun.bin +Tests/images/pcx_overrun2.bin +Tests/images/raw_negative_stride.bin +Tests/images/sgi_overrun.bin +Tests/images/sgi_overrun_expandrow.bin +Tests/images/sgi_overrun_expandrow2.bin +Tests/images/string_dimension.tiff