3 files changed, 58 insertions, 1 deletions

diff --git a/graphics/py-imaging/Makefile b/graphics/py-imaging/Makefile
index 79adbd76fade..b9724a39fa1d 100644
--- a/graphics/py-imaging/Makefile
+++ b/graphics/py-imaging/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	imaging
 PORTVERSION=	1.1.7
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	graphics python
 MASTER_SITES=	http://effbot.org/media/downloads/ \
 		http://www.pythonware.net/storage/
diff --git a/graphics/py-imaging/files/patch-CVE-2016-0775 b/graphics/py-imaging/files/patch-CVE-2016-0775
new file mode 100644
index 000000000000..cbd446180284
--- /dev/null
+++ b/graphics/py-imaging/files/patch-CVE-2016-0775
@@ -0,0 +1,24 @@
+From bcaaf97f4ff25b3b5b9e8efeda364e17e80858ec Mon Sep 17 00:00:00 2001
+From: wiredfool <eric-github@soroos.net>
+Date: Wed, 20 Jan 2016 22:37:28 +0000
+Subject: [PATCH] FLI overflow error fix and testcase CVE-2016-0775
+
+---
+ Tests/check_fli_overflow.py   |  16 ++++++++++++++++
+ Tests/images/fli_overflow.fli | Bin 0 -> 4645 bytes
+ libImaging/FliDecode.c        |   2 +-
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+ create mode 100644 Tests/check_fli_overflow.py
+ create mode 100644 Tests/images/fli_overflow.fli
+
+--- libImaging/FliDecode.c
++++ libImaging/FliDecode.c
+@@ -185,7 +185,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	    /* COPY chunk */
+ 	    for (y = 0; y < state->ysize; y++) {
+ 		UINT8* buf = (UINT8*) im->image[y];
+-		memcpy(buf+x, data, state->xsize);
++		memcpy(buf, data, state->xsize);
+ 		data += state->xsize;
+ 	    }
+ 	    break;
diff --git a/graphics/py-imaging/files/patch-libImaging-PcdDecode.c b/graphics/py-imaging/files/patch-libImaging-PcdDecode.c
new file mode 100644
index 000000000000..4c996ee4d8f4
--- /dev/null
+++ b/graphics/py-imaging/files/patch-libImaging-PcdDecode.c
@@ -0,0 +1,33 @@
+From ae453aa18b66af54e7ff716f4ccb33adca60afd4 Mon Sep 17 00:00:00 2001
+From: wiredfool <eric-github@soroos.net>
+Date: Tue, 2 Feb 2016 05:46:26 -0800
+Subject: [PATCH] PCD decoder overruns the shuffle buffer, Fixes #568
+
+---
+ Tests/images/hopper.pcd | Bin 0 -> 788480 bytes
+ Tests/test_file_pcd.py  |  18 ++++++++++++++++++
+ libImaging/PcdDecode.c  |   4 ++--
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+ create mode 100644 Tests/images/hopper.pcd
+ create mode 100644 Tests/test_file_pcd.py
+
+--- libImaging/PcdDecode.c
++++ libImaging/PcdDecode.c
+@@ -47,7 +47,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	    out[0] = ptr[x];
+ 	    out[1] = ptr[(x+4*state->xsize)/2];
+ 	    out[2] = ptr[(x+5*state->xsize)/2];
+-	    out += 4;
++	    out += 3;
+ 	}
+ 
+ 	state->shuffle((UINT8*) im->image[state->y],
+@@ -62,7 +62,7 @@ ImagingPcdDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	    out[0] = ptr[x+state->xsize];
+ 	    out[1] = ptr[(x+4*state->xsize)/2];
+ 	    out[2] = ptr[(x+5*state->xsize)/2];
+-	    out += 4;
++	    out += 3;
+ 	}
+ 
+ 	state->shuffle((UINT8*) im->image[state->y],