From 062bed289bd2806815203add22d134762bcfbcc3 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Sun, 31 May 2015 09:05:10 +0300
Subject: Issue #24264: Fixed buffer overflow in the imageop module.

---
 Lib/test/test_imageop.py | 4 +++-
 Misc/NEWS                | 2 ++
 Modules/imageop.c        | 7 +++++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/Lib/test/test_imageop.py b/Lib/test/test_imageop.py
index 31edbd1..9589bf2 100644
--- a/Lib/test/test_imageop.py
+++ b/Lib/test/test_imageop.py
@@ -61,7 +61,9 @@ class InputValidationTests(unittest.TestCase):
         self.check("rgb82rgb")
         self.check("rgb2grey")
         self.check("grey2rgb")
-
+        # Issue #24264: Buffer overflow
+        with self.assertRaises(imageop.error):
+            imageop.grey2rgb('A'*256, 1, 129)
 
 def test_main():
 
diff --git a/Misc/NEWS b/Misc/NEWS
index 1fd5f84..4de6d0d 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -26,6 +26,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #24264: Fixed buffer overflow in the imageop module.
+
 - Issue #5633: Fixed timeit when the statement is a string and the setup is not.
 
 - Issue #24326: Fixed audioop.ratecv() with non-default weightB argument.
diff --git a/Modules/imageop.c b/Modules/imageop.c
index 8bd11b2..b91f967 100644
--- a/Modules/imageop.c
+++ b/Modules/imageop.c
@@ -50,8 +50,11 @@ check_multiply_size(int product, int x, const char* xname, int y, const char* yn
         return 0;
     if ( !check_coordonnate(y, yname) )
         return 0;
-    if ( size == (product / y) / x )
-        return 1;
+    if ( product % y == 0 ) {
+        product /= y;
+        if ( product % x == 0 && size == product / x )
+            return 1;
+    }
     PyErr_SetString(ImageopError, "String has incorrect length");
     return 0;
 }
-- 
cgit v0.12