From 23598caeafce0af0dde8d1339cf5edff021f6823 Mon Sep 17 00:00:00 2001
From: Trevor Gamblin <trevor.gamblin@windriver.com>
Date: Fri, 28 Jan 2022 13:51:00 -0500
Subject: python3-pillow: fix CVE-2022-22815, 22816, 22817

Backport three patches from 9.0.0 upstream to fix CVES.

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...0001-Handle-case-where-path-count-is-zero.patch | 77 ++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-pillow/0001-Handle-case-where-path-count-is-zero.patch

(limited to 'meta-python/recipes-devtools/python/python3-pillow/0001-Handle-case-where-path-count-is-zero.patch')

diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-Handle-case-where-path-count-is-zero.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-Handle-case-where-path-count-is-zero.patch
new file mode 100644
index 0000000000..4c4f3d51f5
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pillow/0001-Handle-case-where-path-count-is-zero.patch
@@ -0,0 +1,77 @@
+From c48271ab354db49cdbd740bc45e13be4f0f7993c Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Mon, 6 Dec 2021 22:25:14 +1100
+Subject: [PATCH] Handle case where path count is zero
+
+CVE: CVE-2022-22816
+
+Upstream-Status: Backport
+(https://github.com/python-pillow/Pillow/pull/5920/commits/c48271ab354db49cdbd740bc45e13be4f0f7993c)
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+---
+ Tests/test_imagepath.py |  1 +
+ src/path.c              | 33 +++++++++++++++++++--------------
+ 2 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/Tests/test_imagepath.py b/Tests/test_imagepath.py
+index cd850bb1..b18271cc 100644
+--- a/Tests/test_imagepath.py
++++ b/Tests/test_imagepath.py
+@@ -90,6 +90,7 @@ def test_path_odd_number_of_coordinates():
+     [
+         ([0, 1, 2, 3], (0.0, 1.0, 2.0, 3.0)),
+         ([3, 2, 1, 0], (1.0, 0.0, 3.0, 2.0)),
++        (0, (0.0, 0.0, 0.0, 0.0)),
+         (1, (0.0, 0.0, 0.0, 0.0)),
+     ],
+ )
+diff --git a/src/path.c b/src/path.c
+index 64c767cb..dea274ee 100644
+--- a/src/path.c
++++ b/src/path.c
+@@ -327,21 +327,26 @@ path_getbbox(PyPathObject *self, PyObject *args) {
+ 
+     xy = self->xy;
+ 
+-    x0 = x1 = xy[0];
+-    y0 = y1 = xy[1];
++    if (self->count == 0) {
++        x0 = x1 = 0;
++        y0 = y1 = 0;
++    } else {
++        x0 = x1 = xy[0];
++        y0 = y1 = xy[1];
+ 
+-    for (i = 1; i < self->count; i++) {
+-        if (xy[i + i] < x0) {
+-            x0 = xy[i + i];
+-        }
+-        if (xy[i + i] > x1) {
+-            x1 = xy[i + i];
+-        }
+-        if (xy[i + i + 1] < y0) {
+-            y0 = xy[i + i + 1];
+-        }
+-        if (xy[i + i + 1] > y1) {
+-            y1 = xy[i + i + 1];
++        for (i = 1; i < self->count; i++) {
++            if (xy[i + i] < x0) {
++                x0 = xy[i + i];
++            }
++            if (xy[i + i] > x1) {
++                x1 = xy[i + i];
++            }
++            if (xy[i + i + 1] < y0) {
++                y0 = xy[i + i + 1];
++            }
++            if (xy[i + i + 1] > y1) {
++                y1 = xy[i + i + 1];
++            }
+         }
+     }
+ 
+-- 
+2.33.0
+
-- 
cgit v1.2.3-54-g00ecf