From 88568682bc5f11b9b723f5bd71e9b6c25cffa021 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Fri, 8 Dec 2023 15:23:18 +0800
Subject: [PATCH] fix memory allocation

(cherry picked from commit e2f3bbdb128a427ed5189cd073f2b3eeda67f49c)
---
 backport-Corrected-memory-allocation.patch | 30 ++++++++++++++++++++++
 python-pillow.spec                         | 12 ++++++---
 2 files changed, 38 insertions(+), 4 deletions(-)
 create mode 100644 backport-Corrected-memory-allocation.patch

diff --git a/backport-Corrected-memory-allocation.patch b/backport-Corrected-memory-allocation.patch
new file mode 100644
index 0000000..798fb62
--- /dev/null
+++ b/backport-Corrected-memory-allocation.patch
@@ -0,0 +1,30 @@
+From fe32501922ef5e1be9a7d307132719bd5d52ca35 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Fri, 14 Jan 2022 10:16:35 +1100
+Subject: [PATCH] Corrected allocation
+
+Conflict:NA
+Reference:https://github.com/python-pillow/Pillow/pull/5958/commits/fe32501922ef5e1be9a7d307132719bd5d52ca35
+
+This patch is the rear patch of CVE-2022-22815,CVE-2022-22816
+
+---
+ src/path.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/path.c b/src/path.c
+index dea274e..1180406 100644
+--- a/src/path.c
++++ b/src/path.c
+@@ -57,7 +57,7 @@ alloc_array(Py_ssize_t count) {
+     if ((unsigned long long)count > (SIZE_MAX / (2 * sizeof(double))) - 1) {
+         return ImagingError_MemoryError();
+     }
+-    xy = calloc(2 * count * sizeof(double) + 1, sizeof(double));
++    xy = calloc(2 * count + 1, sizeof(double));
+     if (!xy) {
+         ImagingError_MemoryError();
+     }
+-- 
+2.27.0
+
diff --git a/python-pillow.spec b/python-pillow.spec
index 0c7bff1..36a3bc5 100644
--- a/python-pillow.spec
+++ b/python-pillow.spec
@@ -5,7 +5,7 @@
  
 Name:           python-pillow
 Version:        9.0.1
-Release:        4
+Release:        5
 Summary:        Python image processing library 
 License:        MIT
 URL:            http://python-pillow.github.io/
@@ -16,9 +16,10 @@ Source2:        decompression_bomb_extents.gif
 
 Patch0000:      python-pillow_spinxwarn.patch
 Patch0001:      python-pillow_sphinx-issues.patch
-Patch0002:      CVE-2022-45199.patch
-Patch0003:      CVE-2023-44271.patch
-Patch0004:      CVE-2022-45198.patch
+Patch0002:      backport-Corrected-memory-allocation.patch
+Patch0003:      CVE-2022-45199.patch
+Patch0004:      CVE-2023-44271.patch
+Patch0005:      CVE-2022-45198.patch
 
 BuildRequires:  freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libraqm-devel libtiff-devel
 BuildRequires:  libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
@@ -152,6 +153,9 @@ popd
 %{python3_sitearch}/PIL/__pycache__/ImageQt*
 
 %changelog
+* Fri Dec 08 2023 wangkai <13474090681@163.com> - 9.0.1-5
+- correct memory allocation in alloc_array (this is the rear patch of CVE-2022-22815,CVE-2022-22816)
+
 * Thu Dec 07 2023 wangkai <13474090681@163.com> - 9.0.1-4
 - Fix CVE-2022-45198
 
-- 
Gitee