1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
From 9e08eb8f78fdfd2f476e1b20b7cf38683754866b Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <hugovk@users.noreply.github.com>
Date: Mon, 23 Aug 2021 19:10:49 +0300
Subject: [PATCH] Raise ValueError if color specifier is too long
CVE: CVE-2021-23437
Upstream-Status: Backport
(https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
Tests/test_imagecolor.py | 9 +++++++++
src/PIL/ImageColor.py | 2 ++
2 files changed, 11 insertions(+)
diff --git a/Tests/test_imagecolor.py b/Tests/test_imagecolor.py
index b5d69379..dbe8b9e9 100644
--- a/Tests/test_imagecolor.py
+++ b/Tests/test_imagecolor.py
@@ -191,3 +191,12 @@ def test_rounding_errors():
assert (255, 255) == ImageColor.getcolor("white", "LA")
assert (163, 33) == ImageColor.getcolor("rgba(0, 255, 115, 33)", "LA")
Image.new("LA", (1, 1), "white")
+
+
+def test_color_too_long():
+ # Arrange
+ color_too_long = "hsl(" + "1" * 100 + ")"
+
+ # Act / Assert
+ with pytest.raises(ValueError):
+ ImageColor.getrgb(color_too_long)
diff --git a/src/PIL/ImageColor.py b/src/PIL/ImageColor.py
index 51df4404..25f92f2c 100644
--- a/src/PIL/ImageColor.py
+++ b/src/PIL/ImageColor.py
@@ -32,6 +32,8 @@ def getrgb(color):
:param color: A color string
:return: ``(red, green, blue[, alpha])``
"""
+ if len(color) > 100:
+ raise ValueError("color specifier is too long")
color = color.lower()
rgb = colormap.get(color, None)
--
2.33.0
|
