From 92dfff079592a4905accf28c6b3e76c4945bd65c Mon Sep 17 00:00:00 2001
From: dongyuzhen <dongyuzhen@h-partners.com>
Date: Wed, 20 Apr 2022 11:43:03 +0800
Subject: [PATCH] fix memory allocation

---
 backport-Corrected-memory-allocation.patch | 30 ++++++++++++++++++++++
 python-pillow.spec                         |  7 ++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 backport-Corrected-memory-allocation.patch

diff --git a/backport-Corrected-memory-allocation.patch b/backport-Corrected-memory-allocation.patch
new file mode 100644
index 0000000..798fb62
--- /dev/null
+++ b/backport-Corrected-memory-allocation.patch
@@ -0,0 +1,30 @@
+From fe32501922ef5e1be9a7d307132719bd5d52ca35 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Fri, 14 Jan 2022 10:16:35 +1100
+Subject: [PATCH] Corrected allocation
+
+Conflict:NA
+Reference:https://github.com/python-pillow/Pillow/pull/5958/commits/fe32501922ef5e1be9a7d307132719bd5d52ca35
+
+This patch is the rear patch of CVE-2022-22815,CVE-2022-22816
+
+---
+ src/path.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/path.c b/src/path.c
+index dea274e..1180406 100644
+--- a/src/path.c
++++ b/src/path.c
+@@ -57,7 +57,7 @@ alloc_array(Py_ssize_t count) {
+     if ((unsigned long long)count > (SIZE_MAX / (2 * sizeof(double))) - 1) {
+         return ImagingError_MemoryError();
+     }
+-    xy = calloc(2 * count * sizeof(double) + 1, sizeof(double));
++    xy = calloc(2 * count + 1, sizeof(double));
+     if (!xy) {
+         ImagingError_MemoryError();
+     }
+-- 
+2.27.0
+
diff --git a/python-pillow.spec b/python-pillow.spec
index 955331f..b0120af 100644
--- a/python-pillow.spec
+++ b/python-pillow.spec
@@ -5,7 +5,7 @@
  
 Name:           python-pillow
 Version:        9.0.1
-Release:        1
+Release:        2
 Summary:        Python image processing library 
 License:        MIT
 URL:            http://python-pillow.github.io/
@@ -14,6 +14,8 @@ Source0:        https://github.com/python-pillow/Pillow/archive/%{version}/Pillo
 Patch0:         python-pillow_spinxwarn.patch
 Patch1:         python-pillow_sphinx-issues.patch
 
+Patch6000:      backport-Corrected-memory-allocation.patch
+
 BuildRequires:  freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel
 BuildRequires:  libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
 BuildRequires:  python3-qt5 python3-setuptools python3-tkinter gcc
@@ -150,6 +152,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
 %{python3_sitearch}/PIL/__pycache__/ImageQt*
 
 %changelog
+* Wed Apr 20 2022 dongyuzhen <dongyuzhen@h-partners.com> - 9.0.1-2
+- correct memory allocation in alloc_array (this is the rear patch of CVE-2022-22815,CVE-2022-22816)
+
 * Thu Mar 3 2022 hanhui <hanhui15@h-partners.com> - 9.0.1-1
 - DESC:update to Pillow-9.0.1
 
-- 
Gitee