!133 [sync] PR-130: fix CVE-2023-44271

From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-11-14 08:41:26 +00:00 · 2023-11-14 08:41:26 +00:00 · b12a8f7b77
commit b12a8f7b77
parent 58d504085b a2a58337f3
2 changed files with 169 additions and 1 deletions
--- a/CVE-2023-44271.patch
+++ b/CVE-2023-44271.patch
@ -0,0 +1,161 @@
+From 1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Fri, 30 Jun 2023 23:32:26 +1000
+Subject: [PATCH] Added ImageFont.MAX_STRING_LENGTH
+
+---
+ Tests/test_imagefont.py      | 21 +++++++++++++++++++++
+ docs/reference/ImageFont.rst | 18 ++++++++++++++++++
+ src/PIL/ImageFont.py         | 16 ++++++++++++++++
+ 3 files changed, 55 insertions(+)
+
+diff --git a/Tests/test_imagefont.py b/Tests/test_imagefont.py
+index 0d423aa..5afa0bc 100644
+--- a/Tests/test_imagefont.py
+++ b/Tests/test_imagefont.py
+@@ -990,6 +990,27 @@ class TestImageFont:
+ 
+         assert_image_similar_tofile(im, "Tests/images/colr_bungee_mask.png", 22)
+ 
+    def test_too_many_characters(self):
+        font = self.get_font()
+        with pytest.raises(ValueError):
+            font.getlength("A" * 1000001)
+        with pytest.raises(ValueError):
+            font.getbbox("A" * 1000001)
+        with pytest.raises(ValueError):
+            font.getsize("A" * 1000001)
+        with pytest.raises(ValueError):
+            font.getoffset("A" * 1000001)
+        with pytest.raises(ValueError):
+            font.getmask2("A" * 1000001)
+    
+        transposed_font = ImageFont.TransposedFont(font)
+        with pytest.raises(ValueError):
+            transposed_font.getsize("A" * 1000001)
+    
+        default_font = ImageFont.load_default()
+        with pytest.raises(ValueError):
+            default_font.getsize("A" * 1000001)
+
+ 
+ @skip_unless_feature("raqm")
+ class TestImageFont_RaqmLayout(TestImageFont):
+diff --git a/docs/reference/ImageFont.rst b/docs/reference/ImageFont.rst
+index 5f718ce..12edaf9 100644
+--- a/docs/reference/ImageFont.rst
+++ b/docs/reference/ImageFont.rst
+@@ -18,6 +18,15 @@ OpenType fonts (as well as other font formats supported by the FreeType
+ library). For earlier versions, TrueType support is only available as part of
+ the imToolkit package.
+ 
+.. warning::
+    To protect against potential DOS attacks when using arbitrary strings as
+    text input, Pillow will raise a ``ValueError`` if the number of characters
+    is over a certain limit, :py:data:`MAX_STRING_LENGTH`.
+
+    This threshold can be changed by setting
+    :py:data:`MAX_STRING_LENGTH`. It can be disabled by setting
+    ``ImageFont.MAX_STRING_LENGTH = None``.
+
+ Example
+ -------
+ 
+@@ -72,3 +81,12 @@ Constants
+ 
+     Requires Raqm, you can check support using
+     :py:func:`PIL.features.check_feature` with ``feature="raqm"``.
+
+Constants
+---------
+
+.. data:: MAX_STRING_LENGTH
+
+    Set to 1,000,000, to protect against potential DOS attacks. Pillow will
+    raise a ``ValueError`` if the number of characters is over this limit. The
+    check can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
+diff --git a/src/PIL/ImageFont.py b/src/PIL/ImageFont.py
+index 805c8ff..e0b7167 100644
+--- a/src/PIL/ImageFont.py
+++ b/src/PIL/ImageFont.py
+@@ -43,12 +43,21 @@ class _imagingft_not_installed:
+         raise ImportError("The _imagingft C module is not installed")
+ 
+ 
+MAX_STRING_LENGTH = 1000000
+
+
+ try:
+     from . import _imagingft as core
+ except ImportError:
+     core = _imagingft_not_installed()
+ 
+ 
+def _string_length_check(text):
+    if MAX_STRING_LENGTH is not None and len(text) > MAX_STRING_LENGTH:
+        msg = "too many characters in string"
+        raise ValueError(msg)
+
+
+ # FIXME: add support for pilfont2 format (see FontFile.py)
+ 
+ # --------------------------------------------------------------------
+@@ -125,6 +134,7 @@ class ImageFont:
+ 
+         :return: (width, height)
+         """
+        _string_length_check(text)
+         return self.font.getsize(text)
+ 
+     def getmask(self, text, mode="", *args, **kwargs):
+@@ -297,6 +307,7 @@ class FreeTypeFont:
+ 
+         :return: Width for horizontal, height for vertical text.
+         """
+        _string_length_check(text)
+         return self.font.getlength(text, mode, direction, features, language) / 64
+ 
+     def getbbox(
+@@ -356,6 +367,7 @@ class FreeTypeFont:
+ 
+         :return: ``(left, top, right, bottom)`` bounding box
+         """
+        _string_length_check(text)
+         size, offset = self.font.getsize(
+             text, mode, direction, features, language, anchor
+         )
+@@ -418,6 +430,7 @@ class FreeTypeFont:
+         """
+         # vertical offset is added for historical reasons
+         # see https://github.com/python-pillow/Pillow/pull/4910#discussion_r486682929
+        _string_length_check(text)
+         size, offset = self.font.getsize(text, "L", direction, features, language)
+         return (
+             size[0] + stroke_width * 2,
+@@ -494,6 +507,7 @@ class FreeTypeFont:
+ 
+         :return: A tuple of the x and y offset
+         """
+        _string_length_check(text)
+         return self.font.getsize(text)[1]
+ 
+     def getmask(
+@@ -655,6 +669,7 @@ class FreeTypeFont:
+                  :py:mod:`PIL.Image.core` interface module, and the text offset, the
+                  gap between the starting coordinate and the first marking
+         """
+        _string_length_check(text)
+         size, offset = self.font.getsize(
+             text, mode, direction, features, language, anchor
+         )
+@@ -758,6 +773,7 @@ class TransposedFont:
+         self.orientation = orientation  # any 'transpose' argument, or None
+ 
+     def getsize(self, text, *args, **kwargs):
+        _string_length_check(text)
+         w, h = self.font.getsize(text)
+         if self.orientation in (Image.ROTATE_90, Image.ROTATE_270):
+             return h, w
+-- 
+2.33.0
+
--- a/python-pillow.spec
+++ b/python-pillow.spec
@ -5,7 +5,7 @@
 
 Name:           python-pillow
 Version:        9.0.1
-Release:        3
+Release:        4
 Summary:        Python image processing library 
 License:        MIT
 URL:            http://python-pillow.github.io/
@ -17,6 +17,7 @@ Patch1:         python-pillow_sphinx-issues.patch

 Patch6000:      backport-Corrected-memory-allocation.patch
 Patch6001:      CVE-2022-45199.patch
+Patch6002:      CVE-2023-44271.patch

 BuildRequires:  freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel
 BuildRequires:  libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
@ -155,6 +156,12 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
 %{python3_sitearch}/PIL/__pycache__/ImageQt*

 %changelog
+* Tue Nov 14 2023 hanhuihui <hanhuihui5@huawei.com> - 9.0.1-4
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC: fix CVE-2023-44271
+
 * Thu Nov 17 2022 qz_cx <wangqingzheng@kylinos.cn> - 9.0.1-3
 - Type:CVE
 - ID:NA