Merged revisions 67266 via svnmerge from

svn+ssh://pythondev@svn.python.org/python/trunk

........
  r67266 | amaury.forgeotdarc | 2008-11-18 23:19:37 +0100 (mar., 18 nov. 2008) | 4 lines

  #4317: Fix an Array Bounds Read in imageop.rgb2rgb8.

  Will backport to 2.4.
........

Lib/test/test_imageop.py

@@ -15,6 +15,7 @@ SIZES = (1, 2, 3, 4)
 _VALUES = (1, 2, 2**10, 2**15-1, 2**15, 2**15+1, 2**31-2, 2**31-1)
 VALUES = tuple( -x for x in reversed(_VALUES) ) + (0,) + _VALUES
 AAAAA = "A" * 1024
+MAX_LEN = 2**20
 
 
 class InputValidationTests(unittest.TestCase):
@@ -26,7 +27,7 @@ class InputValidationTests(unittest.TestCase):
                 strlen = abs(width * height)
                 if size:
                     strlen *= size
-                if strlen < 1024:
+                if strlen < MAX_LEN:
                     data = "A" * strlen
                 else:
                     data = AAAAA

Misc/NEWS

@@ -12,6 +12,8 @@ What's New in Python 2.6.1 alpha 1
 Core and Builtins
 -----------------
 
+- Issue #4317: Fixed a crash in the imageop.rgb2rgb8() function.
+
 - Issue #4230: If ``__getattr__`` is a descriptor, it now functions correctly.
 
 - Issue #4048: The parser module now correctly validates relative imports.

Modules/imageop.c

@@ -590,7 +590,7 @@ imageop_rgb2rgb8(PyObject *self, PyObject *args)
 	if ( !PyArg_ParseTuple(args, "s#ii", &cp, &len, &x, &y) )
 		return 0;
 
-	if ( !check_multiply_size(len*4, x, "x", y, "y", 4) )
+	if ( !check_multiply_size(len, x, "x", y, "y", 4) )
 		return 0;
 	nlen = x*y;
 	if ( !check_multiply(nlen, x, y) )