From 6790f1869a357b7da1d7bae006d32e14821fea5d Mon Sep 17 00:00:00 2001
From: Felipe Rosa de Almeida <feliperalmeida@users.noreply.github.com>
Date: Sun, 16 Jan 2022 19:11:21 -0300
Subject: [PATCH] Forbid lambda expressions in ImageMath.eval()

---
 Tests/test_imagemath.py | 5 +++--
 src/PIL/ImageMath.py    | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
index 25811aa89d7..924f1ebd63b 100644
--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
@@ -52,9 +52,10 @@ def test_ops():
     assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
 
 
-def test_prevent_exec():
+@pytest.mark.parametrize("expression", ("exec('pass')", "(lambda: None)()"))
+def test_prevent_exec(expression):
     with pytest.raises(ValueError):
-        ImageMath.eval("exec('pass')")
+        ImageMath.eval(expression)
 
 
 def test_logical():
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index 4b6e4ccda3a..968099fedc4 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -244,6 +244,9 @@ def eval(expression, _dict={}, **kw):
     for name in code.co_names:
         if name not in args and name != "abs":
             raise ValueError(f"'{name}' not allowed")
+    for const in code.co_consts:
+        if getattr(const, "co_name", None) == "<lambda>":
+            raise ValueError("Lambda expressions are not allowed")
 
     out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
     try: