1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From 1e092419b6806495c683043ab3feb6ce264f3b9c Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Mon, 6 Dec 2021 22:24:19 +1100
Subject: [PATCH] Initialize coordinates to zero
CVE: CVE-2022-22815
Upstream-Status: Backport
(https://github.com/python-pillow/Pillow/pull/5920/commits/1e092419b6806495c683043ab3feb6ce264f3b9c)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
Tests/test_imagepath.py | 1 +
src/path.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
index 0835fdb4..cd850bb1 100644
--- a/Tests/test_imagepath.py
+++ b/Tests/test_imagepath.py
@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates():
[
([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)),
([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)),
+ (1, (0.0, 0.0, 0.0, 0.0)),
],
)
def test_getbbox(coords, expected):
diff --git a/src/path.c b/src/path.c
index 4764c58a..64c767cb 100644
--- a/src/path.c
+++ b/src/path.c
@@ -57,7 +57,7 @@ alloc_array(Py_ssize_t count) {
if ((unsigned long long)count > (SIZE_MAX / (2 * sizeof(double))) - 1) {
return ImagingError_MemoryError();
}
- xy = malloc(2 * count * sizeof(double) + 1);
+ xy = calloc(2 * count * sizeof(double) + 1, sizeof(double));
if (!xy) {
ImagingError_MemoryError();
}
--
2.33.0
|