From 9c3b0840d60450cd520be07f36251bb3d9e3ddfd Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Thu, 7 Dec 2023 17:07:11 +0800
Subject: [PATCH] Fix CVE-2022-45198

---
 CVE-2022-45198.patch           |  41 +++++++++++++++++++++++++++++++++
 decompression_bomb_extents.gif | Bin 0 -> 368 bytes
 python-pillow.spec             |  22 +++++++++++-------
 3 files changed, 55 insertions(+), 8 deletions(-)
 create mode 100644 CVE-2022-45198.patch
 create mode 100644 decompression_bomb_extents.gif

diff --git a/CVE-2022-45198.patch b/CVE-2022-45198.patch
new file mode 100644
index 0000000..971d42a
--- /dev/null
+++ b/CVE-2022-45198.patch
@@ -0,0 +1,41 @@
+From 20c10c81927790c700480a67dc48aebe2228d6e2 Mon Sep 17 00:00:00 2001
+From: zhangshaoning <zhangshaoning@uniontech.com>
+Date: Sat, 6 May 2023 15:06:22 +0800
+Subject: [PATCH] CVE-2022-45198
+
+---
+ Tests/test_decompression_bomb.py            |   5 +++++
+ src/PIL/GifImagePlugin.py                   |   1 +
+ 2 files changed, 6 insertions(+)
+
+diff --git a/Tests/test_decompression_bomb.py b/Tests/test_decompression_bomb.py
+index d918ef9..18fed06 100644
+--- a/Tests/test_decompression_bomb.py
++++ b/Tests/test_decompression_bomb.py
+@@ -62,6 +62,11 @@ class TestDecompressionBomb:
+             with Image.open("Tests/images/decompression_bomb.gif"):
+                 pass
+ 
++    def test_exception_gif_extents(self):
++        with Image.open("Tests/images/decompression_bomb_extents.gif") as im:
++            with pytest.raises(Image.DecompressionBombError):
++                im.seek(1)
++
+     def test_exception_bmp(self):
+         with pytest.raises(Image.DecompressionBombError):
+             with Image.open("Tests/images/bmp/b/reallybig.bmp"):
+diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py
+index 8c2180b..04b567a 100644
+--- a/src/PIL/GifImagePlugin.py
++++ b/src/PIL/GifImagePlugin.py
+@@ -247,6 +247,7 @@ class GifImageFile(ImageFile.ImageFile):
+                 x1, y1 = x0 + i16(s, 4), y0 + i16(s, 6)
+                 if x1 > self.size[0] or y1 > self.size[1]:
+                     self._size = max(x1, self.size[0]), max(y1, self.size[1])
++                    Image._decompression_bomb_check(self._size)
+                 self.dispose_extent = x0, y0, x1, y1
+                 flags = s[8]
+ 
+-- 
+2.20.1
+
diff --git a/decompression_bomb_extents.gif b/decompression_bomb_extents.gif
new file mode 100644
index 0000000000000000000000000000000000000000..0d5ff03f525904d4bc29e3b22f70b45eb1c2cba7
GIT binary patch
literal 368
zcmZ?wbh9u|Okqf2XkcLY&j12CAOa-9z_E~lkweB~!-9j&9Ku>LCpIiR+%BN(HOFJ)
zqNCjs##whxY+QW2U%|Oc#&gq>lan=qSH+y%wDk0JgXB|lJU1^pJKLi8)t!@@m!F^S
z(99+4wPnS{#U7KjVoz;Zd3kxjVz0SgTUT9O9kDs<?y0S-udh!y+$HP1ZOzTi8JAbZ
zp5C_h_V$9ur{;QZUw3zR#phRdPj6p;e}4lrx17(84G#}@2y4fki70Sj(D@GpL&mk%
E0Q>d1uK)l5

literal 0
HcmV?d00001

diff --git a/python-pillow.spec b/python-pillow.spec
index 929af3d..5103337 100644
--- a/python-pillow.spec
+++ b/python-pillow.spec
@@ -5,19 +5,21 @@
  
 Name:           python-pillow
 Version:        9.0.1
-Release:        4
+Release:        5
 Summary:        Python image processing library 
 License:        MIT
 URL:            http://python-pillow.github.io/
 Source0:        https://github.com/python-pillow/Pillow/archive/%{version}/Pillow-%{version}.tar.gz
 Source1:        oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
+# https://github.com/python-pillow/Pillow/blob/c9f1b35/Tests/images/decompression_bomb_extents.gif
+Source2:        decompression_bomb_extents.gif
 
-Patch0:         python-pillow_spinxwarn.patch
-Patch1:         python-pillow_sphinx-issues.patch
-
-Patch6000:      backport-Corrected-memory-allocation.patch
-Patch6001:      CVE-2022-45199.patch
-Patch6002:      CVE-2023-44271.patch
+Patch0000:      python-pillow_spinxwarn.patch
+Patch0001:      python-pillow_sphinx-issues.patch
+Patch0002:      backport-Corrected-memory-allocation.patch
+Patch0003:      CVE-2022-45199.patch
+Patch0004:      CVE-2023-44271.patch
+Patch0005:      CVE-2022-45198.patch
 
 BuildRequires:  freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel
 BuildRequires:  libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
@@ -97,9 +99,10 @@ Provides:       python3-imaging-qt = %{version}-%{release}
 Qt pillow image wrapper.
 %prep
 %autosetup -p1 -n Pillow-%{version} 
-cp %{SOURCE1} Tests/images/
  
 %build
+cp %{SOURCE1} Tests/images/
+cp %{SOURCE2} Tests/images/
 
 %py3_build
 
@@ -156,6 +159,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
 %{python3_sitearch}/PIL/__pycache__/ImageQt*
 
 %changelog
+* Thu Dec 07 2023 wangkai <13474090681@163.com> - 9.0.1-5
+- Fix CVE-2022-45198
+
 * Tue Nov 14 2023 hanhuihui <hanhuihui5@huawei.com> - 9.0.1-4
 - Type:CVE
 - ID:NA
-- 
Gitee