From 4354fa540290f0d291c0bce16d688ef5191b468a Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Sat, 15 Aug 2020 21:43:49 +1000
Subject: [PATCH] Moved CVE images into password-protected zip

---
 Tests/check_tiff_crashes.py |  26 ++++++++++++++++++--------
 Tests/images/crash.zip      | Bin 0 -> 1902 bytes
 Tests/images/crash_1.tif    | Bin 6511 -> 0 bytes
 Tests/images/crash_2.tif    | Bin 6223 -> 0 bytes
 4 files changed, 18 insertions(+), 8 deletions(-)
 create mode 100644 Tests/images/crash.zip
 delete mode 100644 Tests/images/crash_1.tif
 delete mode 100644 Tests/images/crash_2.tif

diff --git a/Tests/check_tiff_crashes.py b/Tests/check_tiff_crashes.py
index f4eb0437514..33b9c87701e 100644
--- a/Tests/check_tiff_crashes.py
+++ b/Tests/check_tiff_crashes.py
@@ -14,16 +14,26 @@
 # version.
 
 
+import io
+import zipfile
+
 from PIL import Image
 
+# The vulnerabilities represented by these files have been addressed.
+# However, antivirus software does not detect that this is a version of Pillow
+# with those fixes, and so to prevent unnecessary alarm, the files are
+# hidden inside a password-protected zip
 repro_read_strip = (
-    "images/crash_1.tif",
-    "images/crash_2.tif",
+    "crash_1.tif",
+    "crash_2.tif",
 )
 
-for path in repro_read_strip:
-    with Image.open(path) as im:
-        try:
-            im.load()
-        except Exception as msg:
-            print(msg)
+with zipfile.ZipFile("images/crash.zip") as crashzip:
+    for path in repro_read_strip:
+        with crashzip.open(path, pwd=b"vulnerabilitiesaddressed") as f:
+            data = io.BytesIO(f.read())
+        with Image.open(data) as im:
+            try:
+                im.load()
+            except Exception as msg:
+                print(msg)
diff --git a/Tests/images/crash.zip b/Tests/images/crash.zip
new file mode 100644
index 0000000000000000000000000000000000000000..c2c9afb91ff6a316d1dfb0604f2e6daa14fdc632
GIT binary patch
literal 1902
zcmZ|QX*|^19|!QCb&M(d*axXU6AFW?v5zLaaK~DtFxMKgjdI7$nwZdHt(aurhQg4o
zP{vqu?Fkd<4z6vev4{EVfA0g`|LdOf;GFZ|e7=v~uaC6_2d4-C26%wW<@`3jY~k$t
z>;Mob0RRv{8gR$`5^~K|{p<}NuZ#9zfFrC!+f}$z+w~?M0<dvzumQl~X8@2gfeG}>
z=oH`GB>q0OLqq4XZ!ufjEZ5YhuY1GodzrB@P3P9qhRTE^Cr-b`z%;SP@jSSXsnG+H
zVmQ(q6kqAmuB0embp>$-v2CzJ2i=fs2w34rXl89X7k=uYYzD7PYM|@WXYP~c`p11>
zO;x_169X{9f+{Z@yH`DT?PJ0(mYMq!2=HiJT@t7uMyDp?SWB4U+mbP<lv({xwrbV#
z9`bl*Vnq-{ZPKN-h9H%xI}0s=o#J~(ma?_N`a1O0+svRti<FGkA9kmkB4XBTN;{5s
zrLx&F?8GOitAiBHTb9Q}`WOx><UN-V%Yx@zc)#9=r)jeuQx(QY?-Ry3)g|~R<ryyK
z(Q;g`_?ASefmqdKpDxc^-KHC$+O?VpiqbS}H#5wNc)E|J%V>Q7Lw1|pA7t2hAQkgH
ztw$5Il<JE3xX-wUDhf0k#5FX$3R(N`VPl93TrG5KA><}A(b*S+)3n&}1K~NrkD&ey
z%|p}5=L>@${9$G29AM8_(k(gZ?AIG4cvr)xsOh~9U;b94nN@~X-?wgC1xX!#O5-t|
zE&qjD-CrXmvYvjN8ouNq6weC%d~trDT~fmFc15*@xz<MCF9r8%9NR?Wf_;O|)K$Ku
zLiNO0T@<}RWn&cLwD?^Ow-#}0-goV9XvVi^XN_sedM<`WINTRmBsear<3sb-H+iQq
zsZ6Z6x$N&{mH%-_AQ^C)tHz259|)>mYtUb<xzwH2->fzp*${R8u~wO<L|)kRb)nY?
z__~yzm*H3dszp&ZCsuB}IN>0oYdJI!p|W3fU^KsD!kb*qMCamY=ik)ZdiDsFv~6d7
zy)ZzGwX~VBhG&Hx*p|=ivx;V8d|CS0Q}0ztCfX2Oe|DJvqF=Xov-?YW88HX0XwW!7
zeo51LQL#I7D-r1F;+WE*TE`e#fX2ysGvc`)%gLw$s@0tRa!7u*t-{`Wth%bM@blOd
z;X+=~ytYKIXHsUnT4y&sCfu88W+_nSs8$S9$JzqKbJUIX527j}v+Mae0KiK8s3^n_
zq6Gh6)Uq_o`>UtqpaX%VB+J=SN_8vrI+r4P6~<&F@}GB;5529WH?NypD%PU7G7{UU
zUKNh|?ApJZ%HbM^91Evi>3mi=>czIGnw*R=jkee?6rCiBUl^;|LjrX*(g~$M(SBxg
zv=lQV&9+XWT2*A+4gxQ$%Jgrbi6y?~kBq4S0*UqA_wTKyYtk2!v*)%ix7A8<N8@IW
z|0ymrV6)<Xz6fFKx(L033244TeCO|~KNGi;c@ReI-9yBFbxT6$udt>*b$b8QKBV{O
zL+404-Mv^tQw93g`a>syxaW%U9ti&ar9pioxo2+3dnUnJGLYC}h?b}HN)<OE&n^eM
zLGTI62<U1(yB6B2T;O4V?jc_#<QQjip2=M(N*}Zo%R;!{SMvx>ZHs_MPL%YOH(nKO
z4KJBJ!9^Pl@DFkrF2f9_PYw?}iP|gE%cLvYgFzHOKzj!Q)+9ZhzR@1}IvU;a8s-+*
z@z^HBhrg?jv5qZw;!qsl){X+wR&6LtDODUY^fqpnny*9GmOCn68M;hMb~}ySLAgK|
zHd{K=-d;0vs#rpUWl7MmOG!<=lPTxulWE^de68TMun3U^sKam+nx#N`yCdDWNO~u6
zQl*bRUSI(>x-tE8^#W!Q8`Q$9XG2~LG>gQal5IkqDrcy%-0`KqmcdOYQ7N>!eS)?z
zVKkwLzoE#!Mz%qUT6%{enle^wW3v5vG7SmZCuT7Oep^mz|0BWYDU^IdHl)*VyukmF
zCN17dU!C%RFtp|9n%h6|rCI|uMrPC!Fx695$a&;t>|=aJmg<gTGQ<;$DC$8xIjLii
zF->*5fWApm=nFo#hkO-JMOJycw|@e^d;#5j0n4lXHWHJQn#BjPgKntOMLrYrw&HyB
zQ<5(Iwz4m{23iPbVLgWlaQ)k(@x?7`ZSnIajrZ!w&YdJVdHBOT%@CsB31y{W4AX2x
z?+YD3Z8CY*pd(Fl*;n^5SV53AQ@aN$Fd-x$P`O?`l|Et^L1Bea?u?JV;pX|W`(cDv
z2=(3AQAySoZ0s@||JGZF)c#(DG2bsgv>4Z4E%uKF`)A<MVG!VGpzR^%zXJb8{BMC=
R+}~%jAMX6av+jSd{{r~>TT}o5

literal 0
HcmV?d00001

diff --git a/Tests/images/crash_1.tif b/Tests/images/crash_1.tif
deleted file mode 100644
index 230d4439aadb0867d3005e6cec458b69588ecc42..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6511
zcmebD)M7AVWMHV6(|g&_`>=xu`-lHenXc<+*sg58(KBmF8RG(#Cix`+_6-)6DHftj
zn&l7jKaz+#xPIbA!=}y8@3wB6{ypl&?N7?z|LN;<URdeAVbZdcX>06e#@g8$?4B4L
z>-8vd@8*uFRg0I^J<;Ck81HiB+@w9&fVg9BO=v>V?z{z^wa?ESiO|tqd2%-+GXv0Z
z3^Re45yS>bfW%n^4sJY}@9cYKzgEf-qmPZ8C)Zwl&=Qfhd#*9_uOoMMmh`J0`40gM
z7AmP))wR;)9*6bz@#Lg%mYqC3moxaFbXnRfGs_Ku{8xgm^Xx3+?lqrSYVDoyEqCWM
zwnpBE`vS^~1)pj8&tRV>WgmaMCy)QzwcFa>vbV1=F5X>GR@IYw;HaGT4o=@(CeM?6
z$KB5JZ(Qe79ck_I$K3sh+Qwu3PF26zlUKMiFbFXGV_*S$1LzB&KbRSqe*XWT26Wv&
zsQ1jVSi*qSmW}+?=Y7_p+Jfu~h&*8rl*2s$3f@f(K!OeEL}pUL62n_4F$FZyoPoiJ
zfq@C?Nsufvlue$6JURYAGr$qJ2oZsQ7$cCP@H{YB4T+9NP%u!(p><>dd}(x;c#+s}
zDF-RU$g6}h;y_0rvAzSV!|)xrB*K~H&<h<Leg)<-0(p!9UfBIX$|*!=l45vS0Wa*Z
z6+^fRJ1nIF%)KBfEM)?utmI{6V(<jY{{X5IWP}u;96<iNe}6ziU`3)XNQDd7G+erb
zfC`i0+K_ZXEW<3AAmWTSFij;?x`TAUD=Z)z7C}HJ7C?M;IG>d2@br+X4}sx=9Ae<G
z2L&URXc^G7OneJrG}ADkWW~`;L-j@^TBaFoM3T}2pjYb(+VFP+Mi#WvK`!X1-$F+3
z-k`OPiLUf<G&cTYDUxwEV37M?K>ve+084d>RJDUDY4kc8VhFh;q!vdhiO}rB-Y6IV
zr;_7EoV{AI8hW5ON9)y6si6ms1}v31X5$Jec2F96NGSuaCTvLvtN|3Gz!c~J#Ntp(
zn1O65MphunFxrsBHLfzG8<L}S;%J?SIpjB5Cjv{n(K?Z+k=~J7CxYrsCniwU2n7Pk
zVW=$>kP4!!V&sa~<Noda3;ti&HUo^W?wb7{*wF_X2C9m&SqoLqAd1um0NH(m0iu3R
hclrN`tx#vuhe8h-uoLeidkN$ys1GN$g8T?^B>)*Fs4@Tm

diff --git a/Tests/images/crash_2.tif b/Tests/images/crash_2.tif
deleted file mode 100644
index 26c00d0ff1ae8610df40faf6e38cf41afff596d5..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6223
zcmebD)M7AVWMHV6(|g&_`>=xu`-lHenXc<+*sg58(KBmF8RG(#Cix`+_6-)6DHftj
zn&l7jKaz+#xPIbA!=}y8@3wB6{ypl&?N7?z|LN;<URdeAVbZdcX>06e#@g8$?4B4L
z>-8vd@8*uFRg0I^J<;Ck81HiB+@w9&fVg9BO=v>V?z{z^wa?ESiO|tqd2%-+GXv0Z
z3^Re45yS>bfW%n^4sJY}@9cYKzgEf-qmPZ8C)Zwl&=Qfhd#*9_uOoMMmh`J0`40gM
z7AmP))wR;)9*6bz@#Lg%mYqC3moxaFbXnRfGs_Ku{8xgm^Xx3+?lqrSYVDoyEqCWM
zwnpBE`vS^~1)pj8&tRV>WgmaMCy)QzwcFa>vbV1=F5X>GR@IYw;HaGT4o=@(CeM?6
z$KB5JZ(Qe79ck_I$K3sh+Qwu3PF26zlUKMiFbFXGV_*S$1LzB&KbRSqe*XWT26Wv&
zsQ1jVSi*qSmW}+?=Y7_p+Jfu~h&*8rl*2s$3f@f(K!OeEL}pUL62n_4F$FZyoPoiJ
zfq@C?Nsufvlue$6(8ybah`c|H5lGQ@9vGyCM8_d02&m)8I@$y5i5O>Wp{G|IeiZ@6
z5P|q%fM=9HNFhyhAQ!{a89bw4OTxG^3VMn%Mz|Lwg(W>f@)<896N4vE{s&N%AR{F6
zaRB-6{`~<7ffb3mASFz&X}EL=0Tm|0wIS((ScaLXA>xcTFij;?GJtfz3p*ei7C}HJ
z7C?MaI-iuH^z@J_OM&5n5@J*=OQBIcT8>ezfTK-02FoR|Jc=bpQneUk5FIT923Lb>
zv=A7)jTvGa)l_aPAQcMWdKgQgfLT8eg0=#v;R0^AjJ6f1-tR&yCcy19P$IyRHmF)*
zfI5hzw0nu~iDJz(%rpV8o~JRv{w*j-QQBlcKC~M+5LxjzuwVG<-=F^=yTSJ3b;M}1
zoi0Nl=t+daX1f(y|B}{2AUq6^0j1$F2x5kFqy{>0<p#<+Xk&3eA#(?sjPM{0&!LU*
z5IyjKW5nY>mZBc#C<^lUA<(lxfURsmYBGQZ3Sfl{tcw6Kgj^C*UXea9F#t{_$BQ^S
z5!eQs81MxHda#3wcu*(+W6c4G#i7x}3}j0&vVz0ai3!Mo0fFQ&R3E@hB+6Q3OFZu1
z-oN1gg>5sy`0B3N|A7q*pf$Lxg{nvGRDzujaps)v^8XWCVeX_0jUF;!C*DW)639_d
MA5Lrq`4Qqu07c*)kN^Mx