From: Serhiy Storchaka <storchaka@gmail.com>
Date: Sun, 31 May 2015 06:05:10 +0000 (+0300)
Subject: Issue #24264: Fixed buffer overflow in the imageop module.
X-Git-Tag: v2.7.11rc1~285
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=062bed289bd2806815203add22d134762bcfbcc3;p=thirdparty%2FPython%2Fcpython.git

Issue #24264: Fixed buffer overflow in the imageop module.
---

diff --git a/Lib/test/test_imageop.py b/Lib/test/test_imageop.py
index 31edbd12454b..9589bf230ca3 100644
--- a/Lib/test/test_imageop.py
+++ b/Lib/test/test_imageop.py
@@ -61,7 +61,9 @@ class InputValidationTests(unittest.TestCase):
         self.check("rgb82rgb")
         self.check("rgb2grey")
         self.check("grey2rgb")
-
+        # Issue #24264: Buffer overflow
+        with self.assertRaises(imageop.error):
+            imageop.grey2rgb('A'*256, 1, 129)
 
 def test_main():
 
diff --git a/Misc/NEWS b/Misc/NEWS
index 1fd5f842051e..4de6d0de4c01 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -26,6 +26,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #24264: Fixed buffer overflow in the imageop module.
+
 - Issue #5633: Fixed timeit when the statement is a string and the setup is not.
 
 - Issue #24326: Fixed audioop.ratecv() with non-default weightB argument.
diff --git a/Modules/imageop.c b/Modules/imageop.c
index 8bd11b24c8a6..b91f967eb2c5 100644
--- a/Modules/imageop.c
+++ b/Modules/imageop.c
@@ -50,8 +50,11 @@ check_multiply_size(int product, int x, const char* xname, int y, const char* yn
         return 0;
     if ( !check_coordonnate(y, yname) )
         return 0;
-    if ( size == (product / y) / x )
-        return 1;
+    if ( product % y == 0 ) {
+        product /= y;
+        if ( product % x == 0 && size == product / x )
+            return 1;
+    }
     PyErr_SetString(ImageopError, "String has incorrect length");
     return 0;
 }