[Bug 1933983] [NEW] 5.1.0-1ubuntu0.6 on bionic (python2) can fail on Parser.feed(data) due to OSError

Tom Haddon 1933983 at bugs.launchpad.net
Tue Jun 29 14:15:34 UTC 2021


Public bug reported:

The python2 version of pillow in bionic (python-pil 5.1.0-1ubuntu0.6)
included debian/patches/CVE-2021-28675.patch includes has the following:

```
--- a/src/PIL/ImageFile.py
+++ b/src/PIL/ImageFile.py
@@ -522,12 +522,18 @@ def _safe_read(fp, size):
 
     :param fp: File handle.  Must implement a <b>read</b> method.
     :param size: Number of bytes to read.
-    :returns: A string containing up to <i>size</i> bytes of data.
+    :returns: A string containing <i>size</i> bytes of data.
+
+    Raises an OSError if the file is truncated and the read can not be completed
+
     """
     if size <= 0:
         return b""
     if size <= SAFEBLOCK:
-        return fp.read(size)
+        data = fp.read(size)
+        if len(data) < size:
+            raise OSError("Truncated File Read")
+        return data
     data = []
     while size > 0:
         block = fp.read(min(size, SAFEBLOCK))
@@ -535,6 +541,8 @@ def _safe_read(fp, size):
             break
         data.append(block)
         size -= len(block)
+    if sum(len(d) for d in data) < size:
+        raise OSError("Truncated File Read")
     return b"".join(data)
```

However, further up in the file in the `feed` method we have:

```
# attempt to open this file                                                                                                      
try:
    with io.BytesIO(self.data) as fp:                                                                                            
        im = Image.open(fp)                                                                                                      
except IOError:
    # traceback.print_exc()                                                                                                      
    pass  # not enough data
```

In the python3 version of this file the IOError has already been changed
to OSError but not so here.

In my local copy of /usr/lib/python2.7/dist-packages/PIL/ImageFile.py
I've changed line 392 from `except IOError:` to `except (IOError,
OSError):` and I can confirm this has fixed the issues I've been seeing
since the release of 5.1.0-1ubuntu0.6 (tracebacks with
`OSError("Truncated File Read")`).

I've tried running the test suite locally (with `make test`) to submit a
patch, but I'm getting lots of unrelated failures in tests (missing
pytest imports, file comparisons not matching, etc.). Happy to provide
more detail on that if appropriate.

** Affects: pillow (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pillow in Ubuntu.
https://bugs.launchpad.net/bugs/1933983

Title:
  5.1.0-1ubuntu0.6 on bionic (python2) can fail on Parser.feed(data) due
  to OSError

Status in pillow package in Ubuntu:
  New

Bug description:
  The python2 version of pillow in bionic (python-pil 5.1.0-1ubuntu0.6)
  included debian/patches/CVE-2021-28675.patch includes has the
  following:

  ```
  --- a/src/PIL/ImageFile.py
  +++ b/src/PIL/ImageFile.py
  @@ -522,12 +522,18 @@ def _safe_read(fp, size):
   
       :param fp: File handle.  Must implement a <b>read</b> method.
       :param size: Number of bytes to read.
  -    :returns: A string containing up to <i>size</i> bytes of data.
  +    :returns: A string containing <i>size</i> bytes of data.
  +
  +    Raises an OSError if the file is truncated and the read can not be completed
  +
       """
       if size <= 0:
           return b""
       if size <= SAFEBLOCK:
  -        return fp.read(size)
  +        data = fp.read(size)
  +        if len(data) < size:
  +            raise OSError("Truncated File Read")
  +        return data
       data = []
       while size > 0:
           block = fp.read(min(size, SAFEBLOCK))
  @@ -535,6 +541,8 @@ def _safe_read(fp, size):
               break
           data.append(block)
           size -= len(block)
  +    if sum(len(d) for d in data) < size:
  +        raise OSError("Truncated File Read")
       return b"".join(data)
  ```

  However, further up in the file in the `feed` method we have:

  ```
  # attempt to open this file                                                                                                      
  try:
      with io.BytesIO(self.data) as fp:                                                                                            
          im = Image.open(fp)                                                                                                      
  except IOError:
      # traceback.print_exc()                                                                                                      
      pass  # not enough data
  ```

  In the python3 version of this file the IOError has already been
  changed to OSError but not so here.

  In my local copy of /usr/lib/python2.7/dist-packages/PIL/ImageFile.py
  I've changed line 392 from `except IOError:` to `except (IOError,
  OSError):` and I can confirm this has fixed the issues I've been
  seeing since the release of 5.1.0-1ubuntu0.6 (tracebacks with
  `OSError("Truncated File Read")`).

  I've tried running the test suite locally (with `make test`) to submit
  a patch, but I'm getting lots of unrelated failures in tests (missing
  pytest imports, file comparisons not matching, etc.). Happy to provide
  more detail on that if appropriate.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pillow/+bug/1933983/+subscriptions



More information about the foundations-bugs mailing list