Fix CVE-2024-28219

(cherry picked from commit 153d5e6d363befe4ac93a207597edd0e4288f12c)

CVE-2024-28219.patch

@@ -0,0 +1,55 @@
+From 2a93aba5cfcf6e241ab4f9392c13e3b74032c061 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Thu, 22 Feb 2024 18:56:26 +1100
+Subject: [PATCH] Use strncpy to avoid buffer overflow
+
+Origin: https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061
+
+---
+ Tests/icc/sGrey-v2-nano.icc | Bin 0 -> 290 bytes
+ Tests/test_imagecms.py      |   5 +++++
+ src/_imagingcms.c           |   9 ++++-----
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+ create mode 100644 Tests/icc/sGrey-v2-nano.icc
+
+diff --git a/Tests/test_imagecms.py b/Tests/test_imagecms.py
+index c80fab75b67..fbd78032e59 100644
+--- a/Tests/test_imagecms.py
++++ b/Tests/test_imagecms.py
+@@ -593,3 +593,8 @@
+                 )
+
+                 assert_image_equal(test_image.convert(dst_format[2]), reference_image)
++
++
++def test_long_modes() -> None:
++    p = ImageCms.getOpenProfile("Tests/icc/sGrey-v2-nano.icc")
++    ImageCms.buildTransform(p, p, "ABCDEFGHI", "ABCDEFGHI")
+diff --git a/src/_imagingcms.c b/src/_imagingcms.c
+index 4d66dcc1085..84b8a7e71f9 100644
+--- a/src/_imagingcms.c
++++ b/src/_imagingcms.c
+@@ -201,8 +201,8 @@ cms_transform_new(cmsHTRANSFORM transform, char *mode_in, char *mode_out) {
+ 
+     self->transform = transform;
+ 
+-    strcpy(self->mode_in, mode_in);
+-    strcpy(self->mode_out, mode_out);
++    strncpy(self->mode_in, mode_in, 8);
++    strncpy(self->mode_out, mode_out, 8);
+ 
+     return (PyObject *)self;
+ }
+@@ -242,10 +242,9 @@ findLCMStype(char *PILmode) {
+         // LabX equivalent like ALab, but not reversed -- no #define in lcms2
+         return (COLORSPACE_SH(PT_LabV2) | CHANNELS_SH(3) | BYTES_SH(1) | EXTRA_SH(1));
+     }
+-
+     else {
+-        /* take a wild guess... but you probably should fail instead. */
+-        return TYPE_GRAY_8; /* so there's no buffer overrun... */
++        /* take a wild guess... */
++        return TYPE_GRAY_8;
+     }
+ }
+ 

python-pillow.spec

@@ -5,7 +5,7 @@
  
 Name:           python-pillow
 Version:        9.0.1
-Release:        6
+Release:        7
 Summary:        Python image processing library 
 License:        MIT
 URL:            http://python-pillow.github.io/
@@ -13,6 +13,8 @@ Source0:        https://github.com/python-pillow/Pillow/archive/%{version}/Pillo
 Source1:        oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
 # https://github.com/python-pillow/Pillow/blob/c9f1b35/Tests/images/decompression_bomb_extents.gif
 Source2:        decompression_bomb_extents.gif
+# https://github.com/python-pillow/Pillow/blob/2a93aba/Tests/icc/sGrey-v2-nano.icc
+Source3:        sGrey-v2-nano.icc
 
 Patch0000:      python-pillow_spinxwarn.patch
 Patch0001:      python-pillow_sphinx-issues.patch
@@ -21,6 +23,7 @@ Patch0003:      CVE-2022-45199.patch
 Patch0004:      CVE-2023-44271.patch
 Patch0005:      CVE-2022-45198.patch
 Patch0006:      CVE-2023-50447.patch
+Patch0007:      CVE-2024-28219.patch
 
 BuildRequires:  freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel
 BuildRequires:  libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
@@ -104,6 +107,7 @@ Qt pillow image wrapper.
 %build
 cp %{SOURCE1} Tests/images/
 cp %{SOURCE2} Tests/images/
+cp %{SOURCE3} Tests/icc/
 
 %py3_build
 
@@ -160,6 +164,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
 %{python3_sitearch}/PIL/__pycache__/ImageQt*
 
 %changelog
+* Sun Apr 07 2024 wangkai <13474090681@163.com> - 9.0.1-7
+- Fix CVE-2024-28219
+
 * Wed Jan 24 2024 wangkai <13474090681@163.com> - 9.0.1-6
 - Fix CVE-2023-50447