From a4366cd743552f214981d1424593e67c9da749ca Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Wed, 3 Apr 2024 05:59:51 +0800
Subject: [PATCH] Fix CVE-2024-28219

(cherry picked from commit 153d5e6d363befe4ac93a207597edd0e4288f12c)
---
 CVE-2024-28219.patch |  55 +++++++++++++++++++++++++++++++++++++++++++
 python-pillow.spec   |   9 ++++++-
 sGrey-v2-nano.icc    | Bin 0 -> 290 bytes
 3 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-28219.patch
 create mode 100644 sGrey-v2-nano.icc

diff --git a/CVE-2024-28219.patch b/CVE-2024-28219.patch
new file mode 100644
index 0000000..8e92c3d
--- /dev/null
+++ b/CVE-2024-28219.patch
@@ -0,0 +1,55 @@
+From 2a93aba5cfcf6e241ab4f9392c13e3b74032c061 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Thu, 22 Feb 2024 18:56:26 +1100
+Subject: [PATCH] Use strncpy to avoid buffer overflow
+
+Origin: https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061
+
+---
+ Tests/icc/sGrey-v2-nano.icc | Bin 0 -> 290 bytes
+ Tests/test_imagecms.py      |   5 +++++
+ src/_imagingcms.c           |   9 ++++-----
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+ create mode 100644 Tests/icc/sGrey-v2-nano.icc
+
+diff --git a/Tests/test_imagecms.py b/Tests/test_imagecms.py
+index c80fab75b67..fbd78032e59 100644
+--- a/Tests/test_imagecms.py
++++ b/Tests/test_imagecms.py
+@@ -593,3 +593,8 @@
+                 )
+
+                 assert_image_equal(test_image.convert(dst_format[2]), reference_image)
++
++
++def test_long_modes() -> None:
++    p = ImageCms.getOpenProfile("Tests/icc/sGrey-v2-nano.icc")
++    ImageCms.buildTransform(p, p, "ABCDEFGHI", "ABCDEFGHI")
+diff --git a/src/_imagingcms.c b/src/_imagingcms.c
+index 4d66dcc1085..84b8a7e71f9 100644
+--- a/src/_imagingcms.c
++++ b/src/_imagingcms.c
+@@ -201,8 +201,8 @@ cms_transform_new(cmsHTRANSFORM transform, char *mode_in, char *mode_out) {
+ 
+     self->transform = transform;
+ 
+-    strcpy(self->mode_in, mode_in);
+-    strcpy(self->mode_out, mode_out);
++    strncpy(self->mode_in, mode_in, 8);
++    strncpy(self->mode_out, mode_out, 8);
+ 
+     return (PyObject *)self;
+ }
+@@ -242,10 +242,9 @@ findLCMStype(char *PILmode) {
+         // LabX equivalent like ALab, but not reversed -- no #define in lcms2
+         return (COLORSPACE_SH(PT_LabV2) | CHANNELS_SH(3) | BYTES_SH(1) | EXTRA_SH(1));
+     }
+-
+     else {
+-        /* take a wild guess... but you probably should fail instead. */
+-        return TYPE_GRAY_8; /* so there's no buffer overrun... */
++        /* take a wild guess... */
++        return TYPE_GRAY_8;
+     }
+ }
+ 
diff --git a/python-pillow.spec b/python-pillow.spec
index de83c30..a172de9 100644
--- a/python-pillow.spec
+++ b/python-pillow.spec
@@ -5,7 +5,7 @@
  
 Name:           python-pillow
 Version:        9.0.1
-Release:        6
+Release:        7
 Summary:        Python image processing library 
 License:        MIT
 URL:            http://python-pillow.github.io/
@@ -13,6 +13,8 @@ Source0:        https://github.com/python-pillow/Pillow/archive/%{version}/Pillo
 Source1:        oom-225817ca0f8c663be7ab4b9e717b02c661e66834.tif
 # https://github.com/python-pillow/Pillow/blob/c9f1b35/Tests/images/decompression_bomb_extents.gif
 Source2:        decompression_bomb_extents.gif
+# https://github.com/python-pillow/Pillow/blob/2a93aba/Tests/icc/sGrey-v2-nano.icc
+Source3:        sGrey-v2-nano.icc
 
 Patch0000:      python-pillow_spinxwarn.patch
 Patch0001:      python-pillow_sphinx-issues.patch
@@ -21,6 +23,7 @@ Patch0003:      CVE-2022-45199.patch
 Patch0004:      CVE-2023-44271.patch
 Patch0005:      CVE-2022-45198.patch
 Patch0006:      CVE-2023-50447.patch
+Patch0007:      CVE-2024-28219.patch
 
 BuildRequires:  freetype-devel ghostscript lcms2-devel libimagequant-devel libjpeg-devel libtiff-devel
 BuildRequires:  libwebp-devel openjpeg2-devel tk-devel zlib-devel python3-cffi python3-devel python3-numpy python3-olefile
@@ -104,6 +107,7 @@ Qt pillow image wrapper.
 %build
 cp %{SOURCE1} Tests/images/
 cp %{SOURCE2} Tests/images/
+cp %{SOURCE3} Tests/icc/
 
 %py3_build
 
@@ -160,6 +164,9 @@ pytest --ignore=_build.python2 --ignore=_build.python3 --ignore=_build.pypy3 -v
 %{python3_sitearch}/PIL/__pycache__/ImageQt*
 
 %changelog
+* Sun Apr 07 2024 wangkai <13474090681@163.com> - 9.0.1-7
+- Fix CVE-2024-28219
+
 * Wed Jan 24 2024 wangkai <13474090681@163.com> - 9.0.1-6
 - Fix CVE-2023-50447
 
diff --git a/sGrey-v2-nano.icc b/sGrey-v2-nano.icc
new file mode 100644
index 0000000000000000000000000000000000000000..0e9edfd403182dd3ca815935cc85f33ec5dbd746
GIT binary patch
literal 290
zcmZQzU{uOU&MjsVU|`72D=Bgha*T|Kj8b5K#K6oT!obPE#~_=STwLHA>=wcR1jUKv
z#mOZ_IUqIye7nZL2;yDV%}C5k;hV$Xm^N{`e8QEs#kOw0V-V`FvRG15i<5yeTYxye
zyriH6NM8VAk?fElXCVCqh)t3Uih$yb5<oT=R6UT%z?$b?R0(3h0LbkS_U90=n;6AT
zCYKhKLFGk&X0S7DWzFU^;|mbkDAS;N!eF7Tq_;z~dd}^J?5U5}1{^!|$ngLFlGF;2
II~WWY0A|-bu>b%7

literal 0
HcmV?d00001

-- 
Gitee