mirror of
https://github.com/python-pillow/Pillow.git
synced 2024-11-13 21:26:46 +03:00
41 lines
1.3 KiB
ReStructuredText
41 lines
1.3 KiB
ReStructuredText
|
|
||
|
|
3.3.2
|
||
|
|
=====
|
||
|
|
|
||
|
|
Integer overflow in Map.c
|
||
|
|
-------------------------
|
||
|
|
|
||
|
|
Pillow prior to 3.3.2 may experience integer overflow errors in map.c
|
||
|
|
when reading specially crafted image files. This may lead to memory
|
||
|
|
disclosure or corruption.
|
||
|
|
|
||
|
|
Specifically, when parameters from the image are passed into
|
||
|
|
``Image.core.map_buffer``, the size of the image was calculated with
|
||
|
|
``xsize``*``ysize``*``bytes_per_pixel``. This will overflow if the
|
||
|
|
result is larger than SIZE_MAX. This is possible on a 32-bit system.
|
||
|
|
|
||
|
|
Furthermore this ``size`` value was added to a potentially attacker
|
||
|
|
provided ``offset`` value and compared to the size of the buffer
|
||
|
|
without checking for overflow or negative values.
|
||
|
|
|
||
|
|
These values were then used for creating pointers, at which point
|
||
|
|
Pillow could read the memory and include it in other images. The image
|
||
|
|
was marked readonly, so Pillow would not ordinarily write to that
|
||
|
|
memory without duplicating the image first.
|
||
|
|
|
||
|
|
This issue was found by Cris Neckar at Divergent Security.
|
||
|
|
|
||
|
|
Sign Extension in Storage.c
|
||
|
|
---------------------------
|
||
|
|
|
||
|
|
Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for
|
||
|
|
negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative
|
||
|
|
image size can lead to a smaller allocation than expected, leading to
|
||
|
|
arbitrary writes.
|
||
|
|
|
||
|
|
This issue was found by Cris Neckar at Divergent Security.
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|