From a632b7a3e71a0122caa9be27fb0b1701ffb49e26 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Mon, 2 Jan 2023 00:25:49 +1100 Subject: [PATCH 1/3] Added release notes for #6842 --- docs/releasenotes/9.4.0.rst | 34 +++++++--------------------------- 1 file changed, 7 insertions(+), 27 deletions(-) diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst index 2b111d5e4..a0d26dc52 100644 --- a/docs/releasenotes/9.4.0.rst +++ b/docs/releasenotes/9.4.0.rst @@ -1,30 +1,6 @@ 9.4.0 ----- -Backwards Incompatible Changes -============================== - -TODO -^^^^ - -TODO - -Deprecations -============ - -TODO -^^^^ - -TODO - -API Changes -=========== - -TODO -^^^^ - -TODO - API Additions ============= @@ -96,10 +72,14 @@ When saving a JPEG image, a comment can now be written from Security ======== -TODO -^^^^ +Fix memory DOS in ImageFont +^^^^^^^^^^^^^^^^^^^^^^^^^^^ -TODO +A corrupt or specially crafted TTF font could have font metrics that lead to +unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not +check the image size before allocating memory for it. This dates to the PIL +fork. Pilllow 8.2.0 added a check for large sizes, but did not consider the +case where one dimension was zero. Other Changes ============= From 35b4c433b33da3fa1e9a3193809c3fd7ec58d042 Mon Sep 17 00:00:00 2001 From: Andrew Murray Date: Mon, 2 Jan 2023 00:32:35 +1100 Subject: [PATCH 2/3] Added release notes for #6846 --- docs/releasenotes/9.4.0.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst index a0d26dc52..2d83b7bf5 100644 --- a/docs/releasenotes/9.4.0.rst +++ b/docs/releasenotes/9.4.0.rst @@ -81,6 +81,13 @@ check the image size before allocating memory for it. This dates to the PIL fork. Pilllow 8.2.0 added a check for large sizes, but did not consider the case where one dimension was zero. +Null pointer dereference crash in ImageFont +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a +crash. An error is now raised instead. This would have been present since +Pillow 8.0.0. + Other Changes ============= From e908afea40ec54c43954c9a70be78af670dfb442 Mon Sep 17 00:00:00 2001 From: Andrew Murray <3112309+radarhere@users.noreply.github.com> Date: Mon, 2 Jan 2023 08:17:47 +1100 Subject: [PATCH 3/3] Updated security descriptions Co-authored-by: Hugo van Kemenade --- docs/releasenotes/9.4.0.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/releasenotes/9.4.0.rst b/docs/releasenotes/9.4.0.rst index 2d83b7bf5..0af5bc8ca 100644 --- a/docs/releasenotes/9.4.0.rst +++ b/docs/releasenotes/9.4.0.rst @@ -78,14 +78,14 @@ Fix memory DOS in ImageFont A corrupt or specially crafted TTF font could have font metrics that lead to unreasonably large sizes when rendering text in font. ``ImageFont.py`` did not check the image size before allocating memory for it. This dates to the PIL -fork. Pilllow 8.2.0 added a check for large sizes, but did not consider the -case where one dimension was zero. +fork. Pillow 8.2.0 added a check for large sizes, but did not consider the +case where one dimension is zero. Null pointer dereference crash in ImageFont ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Pillow attempted to dereference a null pointer in ``ImageFont``, leading to a -crash. An error is now raised instead. This would have been present since +crash. An error is now raised instead. This has been present since Pillow 8.0.0. Other Changes