!139 Fix CVE-2022-45198

From: @wk333 Reviewed-by: @cherry530 Signed-off-by: @cherry530
2023-12-08 08:47:07 +00:00 · 2023-12-08 08:47:07 +00:00 · 08c18cb0d9
commit 08c18cb0d9
parent b12a8f7b77 9c3b0840d6
3 changed files with 55 additions and 8 deletions
--- a/CVE-2022-45198.patch
+++ b/CVE-2022-45198.patch
@ -0,0 +1,41 @@
 From 20c10c81927790c700480a67dc48aebe2228d6e2 Mon Sep 17 00:00:00 2001
 From: zhangshaoning <zhangshaoning@uniontech.com>
 Date: Sat, 6 May 2023 15:06:22 +0800
 Subject: [PATCH] CVE-2022-45198
 ---
 Tests/test_decompression_bomb.py            |   5 +++++
 src/PIL/GifImagePlugin.py                   |   1 +
 2 files changed, 6 insertions(+)
 diff --git a/Tests/test_decompression_bomb.py b/Tests/test_decompression_bomb.py
 index d918ef9..18fed06 100644
 --- a/Tests/test_decompression_bomb.py
 +++ b/Tests/test_decompression_bomb.py
@@ -62,6 +62,11 @@ class TestDecompressionBomb:
             with Image.open("Tests/images/decompression_bomb.gif"):
                 pass
 +    def test_exception_gif_extents(self):
 +        with Image.open("Tests/images/decompression_bomb_extents.gif") as im:
 +            with pytest.raises(Image.DecompressionBombError):
 +                im.seek(1)
 +
     def test_exception_bmp(self):
         with pytest.raises(Image.DecompressionBombError):
             with Image.open("Tests/images/bmp/b/reallybig.bmp"):
 diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py
 index 8c2180b..04b567a 100644
 --- a/src/PIL/GifImagePlugin.py
 +++ b/src/PIL/GifImagePlugin.py
@@ -247,6 +247,7 @@ class GifImageFile(ImageFile.ImageFile):
                 x1, y1 = x0 + i16(s, 4), y0 + i16(s, 6)
                 if x1 > self.size[0] or y1 > self.size[1]:
                     self._size = max(x1, self.size[0]), max(y1, self.size[1])
 +                    Image._decompression_bomb_check(self._size)
                 self.dispose_extent = x0, y0, x1, y1
                 flags = s[8]
 -- 
 2.20.1
--- a/decompression_bomb_extents.gif
+++ b/decompression_bomb_extents.gif
--- a/python-pillow.spec
+++ b/python-pillow.spec
@ -5,19 +5,21 @@
 Name:           python-pillow
 Version:        9.0.1
-Release:        4
+Release:        5
 Summary:        Python image processing library 
 License:        MIT
 URL:            http://python-pillow.github.io/
 Source0:        https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
 Source1:        oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
 # https://github.com/python-pillow/Pillow/blob/c9f1b35/Tests/images/decompression_bomb_extents.gif
 Source2:        decompression_bomb_extents.gif
-Patch0:         python-pillow_spinxwarn.patch
+Patch0000:      python-pillow_spinxwarn.patch
-Patch1:         python-pillow_sphinx-issues.patch
+Patch0001:      python-pillow_sphinx-issues.patch
-
+Patch0002:      backport-Corrected-memory-allocation.patch
-Patch6000:      backport-Corrected-memory-allocation.patch
+Patch0003:      CVE-2022-45199.patch
-Patch6001:      CVE-2022-45199.patch
+Patch0004:      CVE-2023-44271.patch
-Patch6002:      CVE-2023-44271.patch
+Patch0005:      CVE-2022-45198.patch
 BuildRequires:  freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel
 BuildRequires:  libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
@ -97,9 +99,10 @@ Provides:       python3-imaging-qt = %{version}-%{release}
 Qt pillow image wrapper.
 %prep
 %autosetup -p1 -n Pillow-%{version} 
 cp %{SOURCE1} Tests/images/
 %build
 cp %{SOURCE1} Tests/images/
 cp %{SOURCE2} Tests/images/
 %py3_build
@ -156,6 +159,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
 %{python3_sitearch}/PIL/__pycache__/ImageQt*
 %changelog
 * Thu Dec 07 2023 wangkai <13474090681@163.com> - 9.0.1-5
 - Fix CVE-2022-45198
 * Tue Nov 14 2023 hanhuihui <hanhuihui5@huawei.com> - 9.0.1-4
 - Type:CVE
 - ID:NA