diff --git a/CHANGES.rst b/CHANGES.rst index be9973de5..3296ca06e 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -28,6 +28,9 @@ since Pillow 4.3.0. - Fix for CVE-2021-23437 [rickprice] +- Fix for CVE-2020-10379 + [rickprice] + 6.2.2.3 (2023-02-23) ------------------ diff --git a/Tests/check_tiff_crashes.py b/Tests/check_tiff_crashes.py new file mode 100644 index 000000000..f4eb04375 --- /dev/null +++ b/Tests/check_tiff_crashes.py @@ -0,0 +1,29 @@ +#!/usr/bin/env python + +# Reproductions/tests for crashes/read errors in TiffDecode.c + +# When run in python, all of these images should fail for +# one reason or another, either as a buffer overrun, +# unrecognized datastream, or truncated image file. +# There shouldn't be any segfaults. +# +# if run like +# `valgrind --tool=memcheck python check_tiff_crashes.py 2>&1 | grep TiffDecode.c` +# the output should be empty. There may be python issues +# in the valgrind especially if run in a debug python +# version. + + +from PIL import Image + +repro_read_strip = ( + "images/crash_1.tif", + "images/crash_2.tif", +) + +for path in repro_read_strip: + with Image.open(path) as im: + try: + im.load() + except Exception as msg: + print(msg) diff --git a/Tests/images/crash_1.tif b/Tests/images/crash_1.tif new file mode 100644 index 000000000..230d4439a Binary files /dev/null and b/Tests/images/crash_1.tif differ diff --git a/Tests/images/crash_2.tif b/Tests/images/crash_2.tif new file mode 100644 index 000000000..26c00d0ff Binary files /dev/null and b/Tests/images/crash_2.tif differ diff --git a/docs/releasenotes/6.2.2.4.rst b/docs/releasenotes/6.2.2.4.rst index 111f040b7..37459a01b 100644 --- a/docs/releasenotes/6.2.2.4.rst +++ b/docs/releasenotes/6.2.2.4.rst @@ -20,3 +20,5 @@ since Pillow 4.3.0. :cve: `CVE-2021-25290` : Fix negative size read in TiffDecode.c :cve: `CVE-2021-23437` : Raise ValueError if color specifier is too long + +:cve: `CVE-2020-10379` : In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c.