fix CVE-2021-41496

2022-01-05 10:00:36 +08:00 · 2022-01-05 10:00:36 +08:00 · a44efbd753
commit a44efbd753
parent 7447565b06
2 changed files with 66 additions and 1 deletions
--- a/backport-CVE-2021-41496.patch
+++ b/backport-CVE-2021-41496.patch
@ -0,0 +1,60 @@
+From 271010f1037150e95017f803f4214b8861e528f2 Mon Sep 17 00:00:00 2001
+From: Warren Weckesser <warren.weckesser@gmail.com>
+Date: Mon, 20 Dec 2021 10:35:31 -0500
+Subject: [PATCH] BUG: f2py: Simplify creation of an exception message. Closes
+ gh-19000.
+
+---
+ numpy/f2py/src/fortranobject.c | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/numpy/f2py/src/fortranobject.c b/numpy/f2py/src/fortranobject.c
+index 4a981bf..d323878 100644
+--- a/numpy/f2py/src/fortranobject.c
+++ b/numpy/f2py/src/fortranobject.c
+@@ -595,14 +595,14 @@ static int check_and_fix_dimensions(const PyArrayObject* arr,
+                                     npy_intp *dims);
+ 
+ static int
+-count_negative_dimensions(const int rank,
+-                          const npy_intp *dims) {
+-    int i=0,r=0;
+-    while (i<rank) {
+-        if (dims[i] < 0) ++r;
+-        ++i;
+find_first_negative_dimension(const int rank, const npy_intp *dims)
+{
+    for (int i = 0; i < rank; ++i) {
+        if (dims[i] < 0) {
+            return i;
+        }
+     }
+-    return r;
+    return -1;
+ }
+ 
+ #ifdef DEBUG_COPY_ND_ARRAY
+@@ -679,14 +679,12 @@ PyArrayObject* array_from_pyobj(const int type_num,
+         || ((intent & F2PY_OPTIONAL) && (obj==Py_None))
+         ) {
+         /* intent(cache), optional, intent(hide) */
+-        if (count_negative_dimensions(rank,dims) > 0) {
+-            int i;
+-            strcpy(mess, "failed to create intent(cache|hide)|optional array"
+-                   "-- must have defined dimensions but got (");
+-            for(i=0;i<rank;++i)
+-                sprintf(mess+strlen(mess),"%" NPY_INTP_FMT ",",dims[i]);
+-            strcat(mess, ")");
+-            PyErr_SetString(PyExc_ValueError,mess);
+        int i = find_first_negative_dimension(rank, dims);
+        if (i >= 0) {
+            PyErr_Format(PyExc_ValueError,
+                         "failed to create intent(cache|hide)|optional array"
+                         " -- must have defined dimensions, but dims[%d] = %"
+                         NPY_INTP_FMT, i, dims[i]);
+             return NULL;
+         }
+         arr = (PyArrayObject *)
+-- 
+2.27.0
+
--- a/numpy.spec
+++ b/numpy.spec
@ -2,7 +2,7 @@

 Name:           numpy
 Version:        1.21.4
-Release:        1
+Release:        2
 Epoch:          1
 Summary:        A fast multidimensional array facility for Python

@ -14,6 +14,8 @@ BuildRequires:  openblas-devel
 BuildRequires:  lapack-devel gcc-gfortran
 BuildRequires:  python3-Cython >= 0.29.24

+Patch0:         backport-CVE-2021-41496.patch
+
 %description
 NumPy is the fundamental package for scientific computing with Python. It contains among other things:
 a powerful N-dimensional array object
@ -102,6 +104,9 @@ popd &> /dev/null


 %changelog
+* Wed Jan 05 2022 yuanxin <yuanxin24@huawei.com> - 1.21.4-2
+- fix CVE-2021-41496
+
 * Mon Dec 13 2021 shixuantong <shixuantong@huawei.com> - 1.21.4-1
 - update version to 1.21.4