From dd46100bdc7fbb6c2fb71008a49c40f081eb0c7c Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Mon, 10 Jan 2022 21:49:55 +1100
Subject: [PATCH] Restrict builtins within lambdas for ImageMath.eval

---
 Tests/test_imagemath.py | 12 ++++++++++--
 src/PIL/ImageMath.py    | 15 +++++++++++----
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py
index 25811aa89d7..39d91eadea6 100644
--- a/Tests/test_imagemath.py
+++ b/Tests/test_imagemath.py
@@ -52,9 +52,17 @@ def test_ops():
     assert pixel(ImageMath.eval("float(B)**33", images)) == "F 8589934592.0"
 
 
-def test_prevent_exec():
+@pytest.mark.parametrize(
+    "expression",
+    (
+        "exec('pass')",
+        "(lambda: exec('pass'))()",
+        "(lambda: (lambda: exec('pass'))())()",
+    ),
+)
+def test_prevent_exec(expression):
     with pytest.raises(ValueError):
-        ImageMath.eval("exec('pass')")
+        ImageMath.eval(expression)
 
 
 def test_logical():
diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py
index 4b6e4ccda3a..09d9898d750 100644
--- a/src/PIL/ImageMath.py
+++ b/src/PIL/ImageMath.py
@@ -240,11 +240,18 @@ def eval(expression, _dict={}, **kw):
         if hasattr(v, "im"):
             args[k] = _Operand(v)
 
-    code = compile(expression, "<string>", "eval")
-    for name in code.co_names:
-        if name not in args and name != "abs":
-            raise ValueError(f"'{name}' not allowed")
+    compiled_code = compile(expression, "<string>", "eval")
 
+    def scan(code):
+        for const in code.co_consts:
+            if type(const) == type(compiled_code):
+                scan(const)
+
+        for name in code.co_names:
+            if name not in args and name != "abs":
+                raise ValueError(f"'{name}' not allowed")
+
+    scan(compiled_code)
     out = builtins.eval(expression, {"__builtins": {"abs": abs}}, args)
     try:
         return out.im