2016-09-29 17:37:01 +03:00
|
|
|
|
|
|
|
3.3.2
|
|
|
|
=====
|
|
|
|
|
|
|
|
Integer overflow in Map.c
|
|
|
|
-------------------------
|
|
|
|
|
|
|
|
Pillow prior to 3.3.2 may experience integer overflow errors in map.c
|
|
|
|
when reading specially crafted image files. This may lead to memory
|
|
|
|
disclosure or corruption.
|
|
|
|
|
|
|
|
Specifically, when parameters from the image are passed into
|
|
|
|
``Image.core.map_buffer``, the size of the image was calculated with
|
2017-05-03 13:22:55 +03:00
|
|
|
``xsize`` * ``ysize`` * ``bytes_per_pixel``. This will overflow if the
|
2016-09-29 17:37:01 +03:00
|
|
|
result is larger than SIZE_MAX. This is possible on a 32-bit system.
|
|
|
|
|
|
|
|
Furthermore this ``size`` value was added to a potentially attacker
|
|
|
|
provided ``offset`` value and compared to the size of the buffer
|
|
|
|
without checking for overflow or negative values.
|
|
|
|
|
|
|
|
These values were then used for creating pointers, at which point
|
|
|
|
Pillow could read the memory and include it in other images. The image
|
|
|
|
was marked readonly, so Pillow would not ordinarily write to that
|
|
|
|
memory without duplicating the image first.
|
|
|
|
|
|
|
|
This issue was found by Cris Neckar at Divergent Security.
|
|
|
|
|
|
|
|
Sign Extension in Storage.c
|
|
|
|
---------------------------
|
|
|
|
|
|
|
|
Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for
|
|
|
|
negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative
|
|
|
|
image size can lead to a smaller allocation than expected, leading to
|
|
|
|
arbitrary writes.
|
|
|
|
|
|
|
|
This issue was found by Cris Neckar at Divergent Security.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|