From 1ba82444d8e727170ca3a504c59ae20c5060f6dc Mon Sep 17 00:00:00 2001 From: Anssi Hannula <anssi.hannula@iki.fi> Date: Sat, 13 Nov 2010 07:49:53 +0200 Subject: [PATCH 03/15] fixed: CVE-2008-1679 in internal python (upstream) --- xbmc/lib/libPython/Python/Modules/imageop.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/xbmc/lib/libPython/Python/Modules/imageop.c b/xbmc/lib/libPython/Python/Modules/imageop.c index 1dba8ac..5cb992c 100644 --- a/xbmc/lib/libPython/Python/Modules/imageop.c +++ b/xbmc/lib/libPython/Python/Modules/imageop.c @@ -640,6 +640,11 @@ imageop_rgb82rgb(PyObject *self, PyObject *args) PyErr_SetString(ImageopError, "String has incorrect length"); return 0; } + + if ( nlen / x != y || nlen > INT_MAX / 4) { + PyErr_SetString(ImageopError, "Image is too large"); + return 0; + } rv = PyString_FromStringAndSize(NULL, nlen*4); if ( rv == 0 ) @@ -743,6 +748,11 @@ imageop_grey2rgb(PyObject *self, PyObject *args) PyErr_SetString(ImageopError, "String has incorrect length"); return 0; } + + if ( nlen / x != y || nlen > INT_MAX / 4) { + PyErr_SetString(ImageopError, "Image is too large"); + return 0; + } rv = PyString_FromStringAndSize(NULL, nlen*4); if ( rv == 0 ) -- 1.7.3