From 0f2d6e0cc5ec216c9f740eb119934ccd52d1d757 Mon Sep 17 00:00:00 2001
From: wiredfool <eric-github@soroos.net>
Date: Thu, 29 Sep 2016 07:37:01 -0700
Subject: [PATCH] Changes, Release Notes for 3.3.2

---
 CHANGES.rst                 |  9 +++++++++
 docs/releasenotes/3.3.2.rst | 40 +++++++++++++++++++++++++++++++++++++
 docs/releasenotes/index.rst |  1 +
 3 files changed, 50 insertions(+)
 create mode 100644 docs/releasenotes/3.3.2.rst

diff --git a/CHANGES.rst b/CHANGES.rst
index 8cd9f2d1f..a9265f999 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -124,6 +124,15 @@ Changelog (Pillow)
 - Retain a reference to core image object in PyAccess #2009
   [homm]
 
+3.3.2 (2016-10-03)
+------------------
+
+- Fix negative image sizes in Storage.c #2105
+  [wiredfool]
+  
+- Fix integer overflow in map.c #2105
+  [wiredfool]
+
 3.3.1 (2016-08-18)
 ------------------
 
diff --git a/docs/releasenotes/3.3.2.rst b/docs/releasenotes/3.3.2.rst
new file mode 100644
index 000000000..141413093
--- /dev/null
+++ b/docs/releasenotes/3.3.2.rst
@@ -0,0 +1,40 @@
+
+3.3.2
+=====
+
+Integer overflow in Map.c
+-------------------------
+
+Pillow prior to 3.3.2 may experience integer overflow errors in map.c
+when reading specially crafted image files. This may lead to memory
+disclosure or corruption.
+
+Specifically, when parameters from the image are passed into
+``Image.core.map_buffer``, the size of the image was calculated with
+``xsize``*``ysize``*``bytes_per_pixel``. This will overflow if the
+result is larger than SIZE_MAX. This is possible on a 32-bit system.
+
+Furthermore this ``size`` value was added to a potentially attacker
+provided ``offset`` value and compared to the size of the buffer
+without checking for overflow or negative values.
+
+These values were then used for creating pointers, at which point
+Pillow could read the memory and include it in other images. The image
+was marked readonly, so Pillow would not ordinarily write to that
+memory without duplicating the image first.
+
+This issue was found by Cris Neckar at Divergent Security.
+
+Sign Extension in Storage.c
+---------------------------
+
+Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for
+negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative
+image size can lead to a smaller allocation than expected, leading to
+arbitrary writes.
+
+This issue was found by Cris Neckar at Divergent Security.
+
+
+
+
diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst
index 2ffe37980..8c484af44 100644
--- a/docs/releasenotes/index.rst
+++ b/docs/releasenotes/index.rst
@@ -7,6 +7,7 @@ Release Notes
   :maxdepth: 2
 
   3.4.0
+  3.3.2
   3.3.0
   3.2.0
   3.1.2