-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
51 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
|
||
3.3.2 | ||
===== | ||
|
||
Integer overflow in Map.c | ||
------------------------- | ||
|
||
Pillow prior to 3.3.2 may experience integer overflow errors in map.c | ||
when reading specially crafted image files. This may lead to memory | ||
disclosure or corruption. | ||
|
||
Specifically, when parameters from the image are passed into | ||
``Image.core.map_buffer``, the size of the image was calculated with | ||
``xsize``*``ysize``*``bytes_per_pixel``. This will overflow if the | ||
result is larger than SIZE_MAX. This is possible on a 32-bit system. | ||
|
||
Furthermore this ``size`` value was added to a potentially attacker | ||
provided ``offset`` value and compared to the size of the buffer | ||
without checking for overflow or negative values. | ||
|
||
These values were then used for creating pointers, at which point | ||
Pillow could read the memory and include it in other images. The image | ||
was marked readonly, so Pillow would not ordinarily write to that | ||
memory without duplicating the image first. | ||
|
||
This issue was found by Cris Neckar at Divergent Security. | ||
|
||
Sign Extension in Storage.c | ||
--------------------------- | ||
|
||
Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for | ||
negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative | ||
image size can lead to a smaller allocation than expected, leading to | ||
arbitrary writes. | ||
|
||
This issue was found by Cris Neckar at Divergent Security. | ||
|
||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,6 +6,7 @@ Release Notes | |
.. toctree:: | ||
:maxdepth: 2 | ||
|
||
3.3.2 | ||
3.3.0 | ||
3.2.0 | ||
3.1.2 | ||
|