From 194c5dd85b86f939e45c1a80c93c66620cd04547 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Tue, 15 Jun 2021 15:14:26 +1000 Subject: [PATCH 01/10] Limit sprintf modes to 10 characters (cherry picked from commit 5f4504bb03f4edeeef8c2633dc5ba03a4c2a8a97) --- src/libImaging/Convert.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/libImaging/Convert.c b/src/libImaging/Convert.c index 60513c66d5e..ae5c21ad9c7 100644 --- a/src/libImaging/Convert.c +++ b/src/libImaging/Convert.c @@ -1622,12 +1622,9 @@ convert(Imaging imOut, Imaging imIn, const char *mode, #ifdef notdef return (Imaging) ImagingError_ValueError("conversion not supported"); #else - { - static char buf[256]; - /* FIXME: may overflow if mode is too large */ - sprintf(buf, "conversion from %s to %s not supported", imIn->mode, mode); - return (Imaging) ImagingError_ValueError(buf); - } + static char buf[100]; + sprintf(buf, "conversion from %.10s to %.10s not supported", imIn->mode, mode); + return (Imaging)ImagingError_ValueError(buf); #endif imOut = ImagingNew2Dirty(mode, imOut, imIn); @@ -1681,10 +1678,13 @@ ImagingConvertTransparent(Imaging imIn, const char *mode, } #else { - static char buf[256]; - /* FIXME: may overflow if mode is too large */ - sprintf(buf, "conversion from %s to %s not supported in convert_transparent", imIn->mode, mode); - return (Imaging) ImagingError_ValueError(buf); + static char buf[100]; + sprintf( + buf, + "conversion from %.10s to %.10s not supported in convert_transparent", + imIn->mode, + mode); + return (Imaging)ImagingError_ValueError(buf); } #endif From 59d1876c2bae4a90c72e1710aaee0c585d777681 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Wed, 30 Jun 2021 23:47:10 +1000 Subject: [PATCH 02/10] Use snprintf instead of sprintf (cherry picked from commit 518ee3722a99d7f7d890db82a20bd81c1c0327fb) --- src/libImaging/Convert.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/libImaging/Convert.c b/src/libImaging/Convert.c index ae5c21ad9c7..c18dfe162c1 100644 --- a/src/libImaging/Convert.c +++ b/src/libImaging/Convert.c @@ -1623,7 +1623,7 @@ convert(Imaging imOut, Imaging imIn, const char *mode, return (Imaging) ImagingError_ValueError("conversion not supported"); #else static char buf[100]; - sprintf(buf, "conversion from %.10s to %.10s not supported", imIn->mode, mode); + snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode); return (Imaging)ImagingError_ValueError(buf); #endif @@ -1679,8 +1679,9 @@ ImagingConvertTransparent(Imaging imIn, const char *mode, #else { static char buf[100]; - sprintf( + snprintf( buf, + 100, "conversion from %.10s to %.10s not supported in convert_transparent", imIn->mode, mode); From 9bc68a1ec5daa11266078a786fa025103046e75e Mon Sep 17 00:00:00 2001 From: Jeremy Date: Tue, 27 Jul 2021 15:17:35 +0200 Subject: [PATCH 03/10] added brackets lost in the merge conflict --- src/libImaging/Convert.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/libImaging/Convert.c b/src/libImaging/Convert.c index c18dfe162c1..5f38a3d8a06 100644 --- a/src/libImaging/Convert.c +++ b/src/libImaging/Convert.c @@ -1622,9 +1622,11 @@ convert(Imaging imOut, Imaging imIn, const char *mode, #ifdef notdef return (Imaging) ImagingError_ValueError("conversion not supported"); #else - static char buf[100]; - snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode); - return (Imaging)ImagingError_ValueError(buf); + { + static char buf[100]; + snprintf(buf, 100, "conversion from %.10s to %.10s not supported", imIn->mode, mode); + return (Imaging)ImagingError_ValueError(buf); + } #endif imOut = ImagingNew2Dirty(mode, imOut, imIn); From ef804202eb81a7f80c861a63d6379cc25574e915 Mon Sep 17 00:00:00 2001 From: Jeremy Date: Tue, 27 Jul 2021 15:17:50 +0200 Subject: [PATCH 04/10] add +j5 to the version --- src/PIL/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PIL/_version.py b/src/PIL/_version.py index df16dce6036..445e28cbf6f 100644 --- a/src/PIL/_version.py +++ b/src/PIL/_version.py @@ -1,2 +1,2 @@ # Master version for Pillow -__version__ = "6.2.2" +__version__ = "6.2.2+j5" From 27a97851d06e4a9e950ac5c1647bcdd0c4b28667 Mon Sep 17 00:00:00 2001 From: Jeremy Date: Wed, 28 Jul 2021 11:12:17 +0200 Subject: [PATCH 05/10] update some of the package routes to fetch from the pillow depends url rather than sourceforge which seems to give some problems. --- winbuild/config.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/winbuild/config.py b/winbuild/config.py index ee4b625b778..49582bff782 100644 --- a/winbuild/config.py +++ b/winbuild/config.py @@ -1,7 +1,7 @@ import os -SF_MIRROR = "http://iweb.dl.sourceforge.net" PILLOW_DEPENDS_DIR = "C:\\pillow-depends\\" +GITHUB_DEPENDS_URL = "https://github.com/python-pillow/pillow-depends/blob/master/" pythons = { "27": {"compiler": 7, "vc": 2010}, @@ -32,7 +32,7 @@ "dir": "jpeg-9c", }, "tiff": { - "url": "ftp://download.osgeo.org/libtiff/tiff-4.0.10.tar.gz", + "url": "https://download.osgeo.org/libtiff/tiff-4.0.10.tar.gz", "filename": PILLOW_DEPENDS_DIR + "tiff-4.0.10.tar.gz", "dir": "tiff-4.0.10", }, @@ -42,7 +42,7 @@ "dir": "freetype-2.10.1", }, "lcms": { - "url": SF_MIRROR + "/project/lcms/lcms/2.7/lcms2-2.7.zip", + "url": GITHUB_DEPENDS_URL + "lcms2-2.7.zip", "filename": PILLOW_DEPENDS_DIR + "lcms2-2.7.zip", "dir": "lcms2-2.7", }, @@ -52,23 +52,23 @@ "dir": "ghostscript-9.27", }, "tcl-8.5": { - "url": SF_MIRROR + "/project/tcl/Tcl/8.5.19/tcl8519-src.zip", + "url": GITHUB_DEPENDS_URL + "tcl8519-src.zip", "filename": PILLOW_DEPENDS_DIR + "tcl8519-src.zip", "dir": "", }, "tk-8.5": { - "url": SF_MIRROR + "/project/tcl/Tcl/8.5.19/tk8519-src.zip", + "url": GITHUB_DEPENDS_URL + "tk8519-src.zip", "filename": PILLOW_DEPENDS_DIR + "tk8519-src.zip", "dir": "", "version": "8.5.19", }, "tcl-8.6": { - "url": SF_MIRROR + "/project/tcl/Tcl/8.6.9/tcl869-src.zip", + "url": GITHUB_DEPENDS_URL + "tcl869-src.zip", "filename": PILLOW_DEPENDS_DIR + "tcl869-src.zip", "dir": "", }, "tk-8.6": { - "url": SF_MIRROR + "/project/tcl/Tcl/8.6.9/tk869-src.zip", + "url": GITHUB_DEPENDS_URL + "tk869-src.zip", "filename": PILLOW_DEPENDS_DIR + "tk869-src.zip", "dir": "", "version": "8.6.9", From dde12fb9462c8476e21dc49ba731ee4abe0f95e3 Mon Sep 17 00:00:00 2001 From: Jeremy Date: Wed, 28 Jul 2021 11:12:55 +0200 Subject: [PATCH 06/10] comment out the python versions we don't need to try and build --- winbuild/config.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/winbuild/config.py b/winbuild/config.py index 49582bff782..7b9458dfec2 100644 --- a/winbuild/config.py +++ b/winbuild/config.py @@ -5,12 +5,12 @@ pythons = { "27": {"compiler": 7, "vc": 2010}, - "pypy2": {"compiler": 7, "vc": 2010}, - "35": {"compiler": 7.1, "vc": 2015}, - "36": {"compiler": 7.1, "vc": 2015}, - "pypy3": {"compiler": 7.1, "vc": 2015}, - "37": {"compiler": 7.1, "vc": 2015}, - "38": {"compiler": 7.1, "vc": 2015}, + # "pypy2": {"compiler": 7, "vc": 2010}, + # "35": {"compiler": 7.1, "vc": 2015}, + # "36": {"compiler": 7.1, "vc": 2015}, + # "pypy3": {"compiler": 7.1, "vc": 2015}, + # "37": {"compiler": 7.1, "vc": 2015}, + # "38": {"compiler": 7.1, "vc": 2015}, } VIRT_BASE = "c:/vp/" From c9da413d4623e644df28b67b52c3616adf92518b Mon Sep 17 00:00:00 2001 From: Jeremy Date: Wed, 28 Jul 2021 11:13:24 +0200 Subject: [PATCH 07/10] add the disable-jpeg2000 flag to fix related CVEs --- winbuild/build.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) mode change 100755 => 100644 winbuild/build.py diff --git a/winbuild/build.py b/winbuild/build.py old mode 100755 new mode 100644 index 0617022dcf9..aa202156d39 --- a/winbuild/build.py +++ b/winbuild/build.py @@ -111,9 +111,9 @@ def build_one(py_ver, compiler, bit): args["tcl_ver"] = "86" if compiler["vc_version"] == "2015": - args["imaging_libs"] = " build_ext --add-imaging-libs=msvcrt" + args["imaging_libs"] = " build_ext --disable-jpeg2000 --add-imaging-libs=msvcrt" else: - args["imaging_libs"] = "" + args["imaging_libs"] = "build_ext --disable-jpeg2000" args["vc_setup"] = vc_setup(compiler, bit) From 8fdd5ba82bb202782ffd5f96c3698b06f5179244 Mon Sep 17 00:00:00 2001 From: Jeremy Date: Wed, 28 Jul 2021 11:15:38 +0200 Subject: [PATCH 08/10] removed the 64 bit script from being created as we don't need it and it breaks --- winbuild/build.py | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/winbuild/build.py b/winbuild/build.py index aa202156d39..68418ca8a6d 100644 --- a/winbuild/build.py +++ b/winbuild/build.py @@ -158,19 +158,6 @@ def main(op): ) ) - scripts.append( - ( - "%s%s" % (py_version, X64_EXT), - "\n".join( - [ - header(op), - build_one("%sx64" % py_version, py_compilers[64], 64), - footer(), - ] - ), - ) - ) - results = map(run_script, scripts) for (version, status, trace, err) in results: From 915b68f46926982719e907959cacda849da3ca33 Mon Sep 17 00:00:00 2001 From: Jeremy Date: Wed, 28 Jul 2021 11:17:51 +0200 Subject: [PATCH 09/10] Added some instructions for workarounds to build this, hopefully these can be removed in future. --- j5_build_instructions.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 j5_build_instructions.txt diff --git a/j5_build_instructions.txt b/j5_build_instructions.txt new file mode 100644 index 00000000000..eb65891c3e5 --- /dev/null +++ b/j5_build_instructions.txt @@ -0,0 +1,6 @@ +Follow the steps in winbuild.rst with the following adustments: +1. If the downloading of the dependencies fails, adjust the requests call to add header to stop it getting blocked as a blob. +3. Install Visual Studio C++ extension for 9.0, 1.0, 12.0 and 14.0 (TBC which are actually required) +5. After running `build_deps.py`, which will fail, - adjust build-deps.cmd batch script with the following: + - add "set VCTargetsPath=C:\Program Files (x86)\MSBuild\Microsoft.Cpp\4.0\V140" on line 14 + - change "v7.0" to "v7.1" on line 26 (now 27) for the SetEnv.cmd file From fe7147158ab47f5b605acd49dfaf9bf39c507d64 Mon Sep 17 00:00:00 2001 From: Jeremy Date: Wed, 28 Jul 2021 16:24:31 +0200 Subject: [PATCH 10/10] correct version number for VC 10.0 --- j5_build_instructions.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/j5_build_instructions.txt b/j5_build_instructions.txt index eb65891c3e5..c90ced50ea2 100644 --- a/j5_build_instructions.txt +++ b/j5_build_instructions.txt @@ -1,6 +1,6 @@ Follow the steps in winbuild.rst with the following adustments: 1. If the downloading of the dependencies fails, adjust the requests call to add header to stop it getting blocked as a blob. -3. Install Visual Studio C++ extension for 9.0, 1.0, 12.0 and 14.0 (TBC which are actually required) +3. Install Visual Studio C++ extension for 9.0, 10.0, 12.0 and 14.0 (TBC which are actually required) 5. After running `build_deps.py`, which will fail, - adjust build-deps.cmd batch script with the following: - add "set VCTargetsPath=C:\Program Files (x86)\MSBuild\Microsoft.Cpp\4.0\V140" on line 14 - change "v7.0" to "v7.1" on line 26 (now 27) for the SetEnv.cmd file