From 47c0d20381bd469d8e597459a90f68b51a004e21 Mon Sep 17 00:00:00 2001
From: peng2285 <jiangpeng01@ncti-gba.cn>
Date: Wed, 23 Nov 2022 16:43:04 +0800
Subject: [PATCH] fix CVE-2022-45199

---
 CVE-2022-45199.patch                          |  79 ++++++++++++++++++
 ...5817ca0f8c663be7ab4b9e717b02c661e66834.tif | Bin 0 -> 88 bytes
 python-pillow.spec                            |  15 ++--
 3 files changed, 89 insertions(+), 5 deletions(-)
 create mode 100644 CVE-2022-45199.patch
 create mode 100644 oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif

diff --git a/CVE-2022-45199.patch b/CVE-2022-45199.patch
new file mode 100644
index 0000000..2173fc7
--- /dev/null
+++ b/CVE-2022-45199.patch
@@ -0,0 +1,79 @@
+From 9ae8f6b7aa8ea4638cb675267cd20c5425dcfafc Mon Sep 17 00:00:00 2001
+From: qz_cx <wangqingzheng@kylinos.cn>
+Date: Thu, 17 Nov 2022 10:28:59 +0800
+Subject: [PATCH] Merge pull request #6700 from
+ hugovk/security-samples_per_pixel-sec
+
+hugovk committed
+Prevent DOS with large SAMPLESPERPIXEL in Tiff IFD
+A large value in the SAMPLESPERPIXEL tag could lead to a memory and
+runtime DOS in TiffImagePlugin.py when setting up the context for
+image decoding.
+---
+ Tests/test_file_tiff.py    | 14 +++++++++++++-
+ src/PIL/TiffImagePlugin.py | 10 ++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/Tests/test_file_tiff.py b/Tests/test_file_tiff.py
+index 5801e17..57fabfa 100644
+--- a/Tests/test_file_tiff.py
++++ b/Tests/test_file_tiff.py
+@@ -3,7 +3,7 @@ from io import BytesIO
+ 
+ import pytest
+ 
+-from PIL import Image, ImageFile, TiffImagePlugin
++from PIL import Image, ImageFile, TiffImagePlugin, UnidentifiedImageError
+ from PIL.TiffImagePlugin import RESOLUTION_UNIT, X_RESOLUTION, Y_RESOLUTION
+ 
+ from .helper import (
+@@ -734,6 +734,18 @@ class TestFileTiff:
+             im.load()
+             ImageFile.LOAD_TRUNCATED_IMAGES = False
+ 
++    @pytest.mark.parametrize(
++        "test_file",
++        [
++            "Tests/images/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif",
++        ],
++    )
++    @pytest.mark.timeout(2)
++    def test_oom(self, test_file):
++        with pytest.raises(UnidentifiedImageError):
++            with pytest.warns(UserWarning):
++                with Image.open(test_file):
++                    pass
+ 
+ @pytest.mark.skipif(not is_win32(), reason="Windows only")
+ class TestFileTiffW32:
+diff --git a/src/PIL/TiffImagePlugin.py b/src/PIL/TiffImagePlugin.py
+index 5df5c4f..f2afe63 100644
+--- a/src/PIL/TiffImagePlugin.py
++++ b/src/PIL/TiffImagePlugin.py
+@@ -252,6 +252,8 @@ OPEN_INFO = {
+     (MM, 8, (1,), 1, (8, 8, 8), ()): ("LAB", "LAB"),
+ }
+ 
++MAX_SAMPLESPERPIXEL = max(len(key_tp[4]) for key_tp in OPEN_INFO.keys())
++
+ PREFIXES = [
+     b"MM\x00\x2A",  # Valid TIFF header with big-endian byte order
+     b"II\x2A\x00",  # Valid TIFF header with little-endian byte order
+@@ -1310,6 +1312,14 @@ class TiffImageFile(ImageFile.ImageFile):
+             SAMPLESPERPIXEL,
+             3 if self._compression == "tiff_jpeg" and photo in (2, 6) else 1,
+         )
++
++        if samplesPerPixel > MAX_SAMPLESPERPIXEL:
++            # DOS check, samplesPerPixel can be a Long, and we extend the tuple below
++            logger.error(
++                "More samples per pixel than can be decoded: %s", samplesPerPixel
++            )
++            raise SyntaxError("Invalid value for samples per pixel")
++
+         if len(bps_tuple) != samplesPerPixel:
+             raise SyntaxError("unknown data organization")
+ 
+-- 
+2.33.0
+
diff --git a/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif b/oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
new file mode 100644
index 0000000000000000000000000000000000000000..01dca594f53e22fda9b11ed5b704326680af1b8c
GIT binary patch
literal 88
zcmebD)MDUZU|`^8U|?isU<9(bfS3`=2FWl%*#bZ|Gn5Td$A-ifWn=;Cox~s{WCDf&
DV5<VW

literal 0
HcmV?d00001

diff --git a/python-pillow.spec b/python-pillow.spec
index b0120af..60bf515 100644
--- a/python-pillow.spec
+++ b/python-pillow.spec
@@ -5,16 +5,17 @@
  
 Name:           python-pillow
 Version:        9.0.1
-Release:        2
+Release:        3
 Summary:        Python image processing library 
 License:        MIT
 URL:            http://python-pillow.github.io/
 Source0:        https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
+Source1:        oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
 
-Patch0:         python-pillow_spinxwarn.patch
-Patch1:         python-pillow_sphinx-issues.patch
-
-Patch6000:      backport-Corrected-memory-allocation.patch
+Patch0000:      python-pillow_spinxwarn.patch
+Patch0001:      python-pillow_sphinx-issues.patch
+Patch0002:      backport-Corrected-memory-allocation.patch
+Patch0003:      CVE-2022-45199.patch
 
 BuildRequires:  freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel
 BuildRequires:  libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
@@ -96,6 +97,7 @@ Qt pillow image wrapper.
 %autosetup -p1 -n Pillow-%{version} 
  
 %build
+cp %{SOURCE1} Tests/images/
 
 %py3_build
 
@@ -152,6 +154,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
 %{python3_sitearch}/PIL/__pycache__/ImageQt*
 
 %changelog
+* Wed Nov 23 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 9.0.1-3
+- Fix CVE-2022-45199
+
 * Wed Apr 20 2022 dongyuzhen <dongyuzhen@h-partners.com> - 9.0.1-2
 - correct memory allocation in alloc_array (this is the rear patch of CVE-2022-22815,CVE-2022-22816)
 
-- 
Gitee