mirror of
https://github.com/python-pillow/Pillow.git
synced 2025-01-26 01:04:29 +03:00
Changes, Release Notes for 3.3.2
This commit is contained in:
parent
c50ebe6459
commit
0f2d6e0cc5
|
@ -124,6 +124,15 @@ Changelog (Pillow)
|
||||||
- Retain a reference to core image object in PyAccess #2009
|
- Retain a reference to core image object in PyAccess #2009
|
||||||
[homm]
|
[homm]
|
||||||
|
|
||||||
|
3.3.2 (2016-10-03)
|
||||||
|
------------------
|
||||||
|
|
||||||
|
- Fix negative image sizes in Storage.c #2105
|
||||||
|
[wiredfool]
|
||||||
|
|
||||||
|
- Fix integer overflow in map.c #2105
|
||||||
|
[wiredfool]
|
||||||
|
|
||||||
3.3.1 (2016-08-18)
|
3.3.1 (2016-08-18)
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
|
|
40
docs/releasenotes/3.3.2.rst
Normal file
40
docs/releasenotes/3.3.2.rst
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
|
||||||
|
3.3.2
|
||||||
|
=====
|
||||||
|
|
||||||
|
Integer overflow in Map.c
|
||||||
|
-------------------------
|
||||||
|
|
||||||
|
Pillow prior to 3.3.2 may experience integer overflow errors in map.c
|
||||||
|
when reading specially crafted image files. This may lead to memory
|
||||||
|
disclosure or corruption.
|
||||||
|
|
||||||
|
Specifically, when parameters from the image are passed into
|
||||||
|
``Image.core.map_buffer``, the size of the image was calculated with
|
||||||
|
``xsize``*``ysize``*``bytes_per_pixel``. This will overflow if the
|
||||||
|
result is larger than SIZE_MAX. This is possible on a 32-bit system.
|
||||||
|
|
||||||
|
Furthermore this ``size`` value was added to a potentially attacker
|
||||||
|
provided ``offset`` value and compared to the size of the buffer
|
||||||
|
without checking for overflow or negative values.
|
||||||
|
|
||||||
|
These values were then used for creating pointers, at which point
|
||||||
|
Pillow could read the memory and include it in other images. The image
|
||||||
|
was marked readonly, so Pillow would not ordinarily write to that
|
||||||
|
memory without duplicating the image first.
|
||||||
|
|
||||||
|
This issue was found by Cris Neckar at Divergent Security.
|
||||||
|
|
||||||
|
Sign Extension in Storage.c
|
||||||
|
---------------------------
|
||||||
|
|
||||||
|
Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for
|
||||||
|
negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative
|
||||||
|
image size can lead to a smaller allocation than expected, leading to
|
||||||
|
arbitrary writes.
|
||||||
|
|
||||||
|
This issue was found by Cris Neckar at Divergent Security.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -7,6 +7,7 @@ Release Notes
|
||||||
:maxdepth: 2
|
:maxdepth: 2
|
||||||
|
|
||||||
3.4.0
|
3.4.0
|
||||||
|
3.3.2
|
||||||
3.3.0
|
3.3.0
|
||||||
3.2.0
|
3.2.0
|
||||||
3.1.2
|
3.1.2
|
||||||
|
|
Loading…
Reference in New Issue
Block a user