Changes, Release notes

CHANGES.rst

@@ -1,6 +1,16 @@
 Changelog (Pillow)
 ==================
 
+3.3.2 (2016-10-03)
+------------------
+
+- Fix negative image sizes in Storage.c #2105
+  [wiredfool]
+
+- Fix integer overflow in map.c #2105
+  [wiredfool]
+
+
 3.3.1 (2016-08-18)
 ------------------
 

docs/releasenotes/3.3.2.rst

@@ -0,0 +1,40 @@
+
+3.3.2
+=====
+
+Integer overflow in Map.c
+-------------------------
+
+Pillow prior to 3.3.2 may experience integer overflow errors in map.c
+when reading specially crafted image files. This may lead to memory
+disclosure or corruption.
+
+Specifically, when parameters from the image are passed into
+``Image.core.map_buffer``, the size of the image was calculated with
+``xsize``*``ysize``*``bytes_per_pixel``. This will overflow if the
+result is larger than SIZE_MAX. This is possible on a 32-bit system.
+
+Furthermore this ``size`` value was added to a potentially attacker
+provided ``offset`` value and compared to the size of the buffer
+without checking for overflow or negative values.
+
+These values were then used for creating pointers, at which point
+Pillow could read the memory and include it in other images. The image
+was marked readonly, so Pillow would not ordinarily write to that
+memory without duplicating the image first.
+
+This issue was found by Cris Neckar at Divergent Security.
+
+Sign Extension in Storage.c
+---------------------------
+
+Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for
+negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative
+image size can lead to a smaller allocation than expected, leading to
+arbitrary writes.
+
+This issue was found by Cris Neckar at Divergent Security.
+
+
+
+

docs/releasenotes/index.rst

@@ -6,6 +6,7 @@ Release Notes
 .. toctree::
   :maxdepth: 2
 
+  3.3.2
   3.3.0
   3.2.0
   3.1.2