From 88ec22f91ecc2794a40039fe6f3a1018e640b39b Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jul 28 2020 13:18:26 +0000
Subject: import python-pillow-5.1.1-12.el8_2


---

diff --git a/SOURCES/CVE-2020-11538.patch b/SOURCES/CVE-2020-11538.patch
new file mode 100644
index 0000000..e8cc8df
--- /dev/null
+++ b/SOURCES/CVE-2020-11538.patch
@@ -0,0 +1,56 @@
+From f91c78960495efa04c7f12eeb916158d4bfbabc4 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Mon, 13 Jul 2020 15:40:11 +0200
+Subject: [PATCH] CVE-2020-11538
+
+---
+ src/libImaging/SgiRleDecode.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c
+index 6367ae7..eb8fc84 100644
+--- a/src/libImaging/SgiRleDecode.c
++++ b/src/libImaging/SgiRleDecode.c
+@@ -28,6 +28,7 @@ static void read4B(UINT32* dest, UINT8* buf)
+ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
+ {
+     UINT8 pixel, count;
++    int x = 0;
+ 
+     for (;n > 0; n--)
+     {
+@@ -37,9 +38,10 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)
+         count = pixel & RLE_MAX_RUN;
+         if (!count)
+             return count;
+-        if (count > xsize) {
++        if (x + count > xsize) {
+             return -1;
+         }
++        x += count;
+         if (pixel & RLE_COPY_FLAG) {
+             while(count--) {
+                 *dest = *src++;
+@@ -63,6 +65,7 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
+ {
+     UINT8 pixel, count;
+ 
++    int x = 0;
+ 
+     for (;n > 0; n--)
+     {
+@@ -73,9 +76,10 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)
+         count = pixel & RLE_MAX_RUN;
+         if (!count)
+             return count;
+-        if (count > xsize) {
++        if (x + count > xsize) {
+             return -1;
+         }
++        x += count;
+         if (pixel & RLE_COPY_FLAG) {
+             while(count--) {
+                 *dest = *src++;
+-- 
+2.26.2
+
diff --git a/SOURCES/CVE-2020-5313.patch b/SOURCES/CVE-2020-5313.patch
new file mode 100644
index 0000000..fe505e8
--- /dev/null
+++ b/SOURCES/CVE-2020-5313.patch
@@ -0,0 +1,38 @@
+From 697957b79a9473f0f643051265885fb048395127 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Wed, 4 Mar 2020 10:54:54 +0100
+Subject: [PATCH] CVE-2020-5313
+
+---
+ src/libImaging/FliDecode.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/libImaging/FliDecode.c b/src/libImaging/FliDecode.c
+index a99aca8..72ba138 100644
+--- a/src/libImaging/FliDecode.c
++++ b/src/libImaging/FliDecode.c
+@@ -40,8 +40,7 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+ 	return 0;
+ 
+     /* We don't decode anything unless we have a full chunk in the
+-       input buffer (on the other hand, the Python part of the driver
+-       makes sure this is always the case) */
++       input buffer */
+ 
+     ptr = buf;
+ 
+@@ -52,6 +51,11 @@ ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes)
+     /* Make sure this is a frame chunk.  The Python driver takes
+        case of other chunk types. */
+ 
++    if (bytes < 8) {
++        state->errcode = IMAGING_CODEC_OVERRUN;
++        return -1;
++    }
++
+     if (I16(ptr+4) != 0xF1FA) {
+ 	state->errcode = IMAGING_CODEC_UNKNOWN;
+ 	return -1;
+-- 
+2.24.1
+
diff --git a/SPECS/python-pillow.spec b/SPECS/python-pillow.spec
index 2d786ca..2993cbb 100644
--- a/SPECS/python-pillow.spec
+++ b/SPECS/python-pillow.spec
@@ -8,7 +8,7 @@
 
 Name:           python-%{srcname}
 Version:        5.1.1
-Release:        10%{?dist}
+Release:        12%{?dist}
 Summary:        Python image processing library
 
 # License: see http://www.pythonware.com/products/pil/license.htm
@@ -32,6 +32,14 @@ Patch3:         CVE-2020-5312_CVE-2019-16865.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1789535
 # https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc54548f3
 Patch4:         CVE-2020-5311.patch
+# CVE-2020-11538 out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2
+# Upstream fix: https://github.com/python-pillow/Pillow/pull/4504/
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1852814
+Patch5:         CVE-2020-11538.patch
+# CVE-2020-5313 out-of-bounds read in ImagingFliDecode when loading FLI images
+# Upstream fix: https://github.com/python-pillow/Pillow/commit/a09acd0decd8a87ccce939d5ff65dab59e7d365b?patch
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1789532
+Patch6:         CVE-2020-5313.patch
 
 BuildRequires:  freetype-devel
 BuildRequires:  gcc
@@ -176,6 +184,14 @@ popd
 
 
 %changelog
+* Mon Jul 13 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-12
+- Fix for CVE-2020-5313
+Resolves: rhbz#1789532
+
+* Mon Jul 13 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-11
+- Fix for CVE-2020-11538
+Resolves: rhbz#1852814
+
 * Mon Feb 17 2020 Lumír Balhar <lbalhar@redhat.com> - 5.1.1-10
 - Bump and rebuild for gating to deliver CVE fixes
 Resolves: rhbz#1789535