Improved performance and security for ContentStream_readInlineImage. #740
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MartinThoma
added
nf-security
Member
|
@MasterOdin What do you think about the PR? Do you see anything that this could break? |
MartinThoma
reviewed
Apr 15, 2022
MartinThoma
reviewed
Apr 15, 2022
Codecov Report
@@ Coverage Diff @@
## main #740 +/- ##
==========================================
- Coverage 69.53% 69.47% -0.07%
==========================================
Files 9 9
Lines 3309 3315 +6
Branches 782 783 +1
==========================================
+ Hits 2301 2303 +2
- Misses 767 769 +2
- Partials 241 243 +2
Continue to review full report at Codecov.
|
Member
|
I'm currently trying to find a PDF with an inline image so that the code at least runs once |
Member
|
Ah, just found your comment again: from reportlab.pdfgen import canvas
c = canvas.Canvas("test.pdf")
c.drawInlineImage("test.png", 100, 100, 100, 100)
c.drawString(200, 100, "Test")
c.showPage()
c.save() |
Member
|
Thank you so much for all the time you invested into this over so 5 years! 🙏 |
MartinThoma
added a commit
that referenced
this pull request
Apr 15, 2022
Security (SEC): - ContentStream_readInlineImage had potential infinite loop (#740) Bug fixes (BUG): - Fix merging encrypted files (#757) - CCITTFaxDecode decodeParms can be an ArrayObject (#756) Robustness improvements (ROBUST): - title sometimes None (#744) Documentation (DOC): - Adjust short description of the package Tests and Test setup (TST): - Rewrite JS tests from unittest to pytest (#746) - Increase Test coverage, mainly with filters (#756) - Add test for inline images (#758) Developer Experience Improvements (DEV): - Remove unused Travis-CI configuration (#747) - Show code coverage (#754, #755) - Add mutmut (#760) Miscellaneous: - STY: Closing file handles, explicit exports, ... (#743) All changes: 1.27.4...1.27.5
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Recreated pull-request of the accidentally closed PR #331.
It fixes #329 by raising an exception when the stream ends and we haven't the end token for the inline image.
It also fixes #330 by using a more efficient parsing algorithm. For large inline images this change speeds up this method by many orders of magnitude:
find()method to check for theEthe token. Only when the token is found it falls back to the normal algorithm that detects the end of the inline image.datait usesBytesIOto collect the output which support much faster appends.