new file mode 100644
@@ -0,0 +1,156 @@
+From 1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 Mon Sep 17 00:00:00 2001
+From: Andrew Murray <radarhere@users.noreply.github.com>
+Date: Fri, 30 Jun 2023 23:32:26 +1000
+Subject: [PATCH] Added ImageFont.MAX_STRING_LENGTH
+
+Upstream-status: Backport [https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7]
+CVE: CVE-2023-44271
+Comment: Refresh hunk for test_imagefont.py, ImageFont.py and
+Remove hunk 10.0.0.rst because in our version it is 9.4.0
+
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+Signed-off-by: Dnyandev Padalkar <padalkards17082001@gmail.com>
+---
+ Tests/test_imagefont.py | 19 +++++++++++++++++++
+ docs/reference/ImageFont.rst | 18 ++++++++++++++++++
+ src/PIL/ImageFont.py | 15 +++++++++++++++
+ 3 files changed, 52 insertions(+)
+
+diff --git a/Tests/test_imagefont.py b/Tests/test_imagefont.py
+index 7fa8ff8cbfd..c50447a153d 100644
+--- a/Tests/test_imagefont.py
++++ b/Tests/test_imagefont.py
+@@ -1107,6 +1107,25 @@
+ assert_image_equal_tofile(im, "Tests/images/text_mono.gif")
+
+
++def test_too_many_characters(font):
++ with pytest.raises(ValueError):
++ font.getlength("A" * 1000001)
++ with pytest.raises(ValueError):
++ font.getbbox("A" * 1000001)
++ with pytest.raises(ValueError):
++ font.getmask2("A" * 1000001)
++
++ transposed_font = ImageFont.TransposedFont(font)
++ with pytest.raises(ValueError):
++ transposed_font.getlength("A" * 1000001)
++
++ default_font = ImageFont.load_default()
++ with pytest.raises(ValueError):
++ default_font.getlength("A" * 1000001)
++ with pytest.raises(ValueError):
++ default_font.getbbox("A" * 1000001)
++
++
+ @pytest.mark.parametrize(
+ "test_file",
+ [
+diff --git a/docs/reference/ImageFont.rst b/docs/reference/ImageFont.rst
+index 946bd3c4bed..2abfa0cc997 100644
+--- a/docs/reference/ImageFont.rst
++++ b/docs/reference/ImageFont.rst
+@@ -18,6 +18,15 @@ OpenType fonts (as well as other font formats supported by the FreeType
+ library). For earlier versions, TrueType support is only available as part of
+ the imToolkit package.
+
++.. warning::
++ To protect against potential DOS attacks when using arbitrary strings as
++ text input, Pillow will raise a ``ValueError`` if the number of characters
++ is over a certain limit, :py:data:`MAX_STRING_LENGTH`.
++
++ This threshold can be changed by setting
++ :py:data:`MAX_STRING_LENGTH`. It can be disabled by setting
++ ``ImageFont.MAX_STRING_LENGTH = None``.
++
+ Example
+ -------
+
+@@ -73,3 +82,12 @@ Constants
+
+ Requires Raqm, you can check support using
+ :py:func:`PIL.features.check_feature` with ``feature="raqm"``.
++
++Constants
++---------
++
++.. data:: MAX_STRING_LENGTH
++
++ Set to 1,000,000, to protect against potential DOS attacks. Pillow will
++ raise a ``ValueError`` if the number of characters is over this limit. The
++ check can be disabled by setting ``ImageFont.MAX_STRING_LENGTH = None``.
+diff --git a/src/PIL/ImageFont.py b/src/PIL/ImageFont.py
+index 3ddc1aaad64..1030985ebc4 100644
+--- a/src/PIL/ImageFont.py
++++ b/src/PIL/ImageFont.py
+@@ -43,6 +43,9 @@
+ RAQM = 1
+
+
++MAX_STRING_LENGTH = 1000000
++
++
+ def __getattr__(name):
+ for enum, prefix in {Layout: "LAYOUT_"}.items():
+ if name.startswith(prefix):
+@@ -67,6 +67,12 @@
+ core = _ImagingFtNotInstalled()
+
+
++def _string_length_check(text):
++ if MAX_STRING_LENGTH is not None and len(text) > MAX_STRING_LENGTH:
++ msg = "too many characters in string"
++ raise ValueError(msg)
++
++
+ _UNSPECIFIED = object()
+
+
+@@ -192,6 +192,7 @@
+
+ :return: ``(left, top, right, bottom)`` bounding box
+ """
++ _string_length_check(text)
+ width, height = self.font.getsize(text)
+ return 0, 0, width, height
+
+@@ -202,6 +202,7 @@
+
+ .. versionadded:: 9.2.0
+ """
++ _string_length_check(text)
+ width, height = self.font.getsize(text)
+ return width
+
+@@ -359,6 +359,7 @@
+
+ :return: Width for horizontal, height for vertical text.
+ """
++ _string_length_check(text)
+ return self.font.getlength(text, mode, direction, features, language) / 64
+
+ def getbbox(
+@@ -418,6 +418,7 @@
+
+ :return: ``(left, top, right, bottom)`` bounding box
+ """
++ _string_length_check(text)
+ size, offset = self.font.getsize(
+ text, mode, direction, features, language, anchor
+ )
+@@ -762,6 +762,7 @@
+ :py:mod:`PIL.Image.core` interface module, and the text offset, the
+ gap between the starting coordinate and the first marking
+ """
++ _string_length_check(text)
+ if fill is _UNSPECIFIED:
+ fill = Image.core.fill
+ else:
+@@ -924,6 +924,7 @@
+ if self.orientation in (Image.Transpose.ROTATE_90, Image.Transpose.ROTATE_270):
+ msg = "text length is undefined for text rotated by 90 or 270 degrees"
+ raise ValueError(msg)
++ _string_length_check(text)
+ return self.font.getlength(text, *args, **kwargs)
+
+
@@ -9,6 +9,7 @@ SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https
file://0001-support-cross-compiling.patch \
file://0001-explicitly-set-compile-options.patch \
file://run-ptest \
+ file://CVE-2023-44271.patch \
"
SRCREV ?= "82541b6dec8452cb612067fcebba1c5a1a2bfdc8"
Add patch to fix CVE-2023-44271 Reference: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 Signed-off-by: Dnyandev Padalkar <padalkards17082001@gmail.com> --- .../python3-pillow/CVE-2023-44271.patch | 156 ++++++++++++++++++ .../python/python3-pillow_9.4.0.bb | 1 + 2 files changed, 157 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-pillow/CVE-2023-44271.patch