From 80d2d8ae09e40401d16d3f419cea30427ab5beaa Mon Sep 17 00:00:00 2001 From: Jeremy Paige Date: Mon, 18 Oct 2021 13:41:02 -0700 Subject: [PATCH] CVE-2021-25291, CVE-2020-35654: fix TiffDecode heap-based buffer overflow --- CHANGES.rst | 3 +++ ...-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif | Bin 0 -> 3728 bytes Tests/test_tiff_crashes.py | 11 +++++++++++ docs/releasenotes/6.2.2.1.rst | 5 ++++- src/libImaging/TiffDecode.c | 6 ++++++ 5 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif create mode 100644 Tests/test_tiff_crashes.py diff --git a/CHANGES.rst b/CHANGES.rst index fd8eca6ef..d774aa963 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -10,6 +10,9 @@ Changelog (Pillow) - Catch SGI out-of-bounds reads. CVE 2020-11538 [ucodery] +- Catch TiffDecode heap-based buffer overflow. CVE 2021-25289 + [ucodery] + 6.2.2 (2020-01-02) ------------------ diff --git a/Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif b/Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif new file mode 100644 index 0000000000000000000000000000000000000000..b89203f75c40ec004e9a37d04caa7ba1c1aee085 GIT binary patch literal 3728 zcmeHJU1%It6h3!mvTpv`ByO`93yvFYX=!$6XE$kfZ6s;hz-p~OK@3R2jY-?2NmJ8> zjc-AP2=&E06@}uHeGrl2OCJPr5%*;&6!gLBQy&6aDB6cgtnB!mnR_Rb%_deNis%{c z+%sp+J^%OIo6GH|FcGy05;_TB5i&?foI*f6&~zi@d`bJ;NE4c2G&DFKTomp+EkD&% zRS4#a1W9_oo5*p9mZolzZVU*WwK7yrR4SMp=T=Ty)lAB&kO5R$#r&GYK_*?|`xePH z*pnxyT^Q8;;@JQPd+M%~rtFm~3oo6XDnJ20tO$>0+|^t=A?@SpZ=wo|B`E7!eCys} zRLc4uT#XoG*N8gHn)NX74}eF@8X`;7AMc}w%7WVHQ~C__t}@~c`p-M@0(43njUfI>%v;5I+IPT8rqk(1 z_GSk9?L&4dex1^;&>F}5&pMF_kbJg3LO3Fwo*94cJwBN|dp_0YzE3zr{&(MIxXXTG(aweFu2q5&b*1C%7uHE>JLu?kFs_56Tz<_i3PIox33E7 z2xMZtaF6FBsQ#gP&v84n(AH%!iEpAngTR-F1}cPhyoua``XdJCmfg{oDiyiuy~AqL zgNjQJoXWyhY>j4!W7D}7RP5S-tJoD#D7E?8&RL`6hEX8Dz!vXRQfKZ)KV0iBVAo`Q zlTbl^I@$C(@GaAV9r@-WXNjv0^$CACGr8P1&Z^`5x_XzZwHtlbNxN}8^SM)PM(eO_ zGZ{~&`z_l(VA@vFPFM#M$=;r1f7a^Drh82Zu_v3%L-P|Sv!h2w%!Sz*bi{d?kc;A< zZhCNdv%IQ3acmK>;39S}R~#bVF&!jNM=qDK;hCw?!u%AtaBjYkFQPTv-`T2)4g7xF zb7`!y(N}q!RdQb-8W9GjY2t*~u*|#id4ueNKQB4*}vc-xz#-kD*kV?d<*#3wb_Z21F_SE!ntfBQ7jhY#iT8}fqQFScctFg kya%~|*K6LjQtkNM{Ha7TlgT73J7L>BX!bqlU(XEu4zt$kbpQYW literal 0 HcmV?d00001 diff --git a/Tests/test_tiff_crashes.py b/Tests/test_tiff_crashes.py new file mode 100644 index 000000000..655dc0b3a --- /dev/null +++ b/Tests/test_tiff_crashes.py @@ -0,0 +1,11 @@ +import pytest + +from PIL import Image + +@pytest.mark.filterwarnings("ignore:Possibly corrupt EXIF data") +@pytest.mark.filterwarnings("ignore:Metadata warning") +def test_tiff_crashes(): + test_file = "Tests/images/crash-63b1dffefc8c075ddc606c0a2f5fdc15ece78863.tif" + with pytest.raises(IOError): + with Image.open(test_file) as im: + im.load() diff --git a/docs/releasenotes/6.2.2.1.rst b/docs/releasenotes/6.2.2.1.rst index 8912fb798..16e4785cf 100644 --- a/docs/releasenotes/6.2.2.1.rst +++ b/docs/releasenotes/6.2.2.1.rst @@ -6,5 +6,8 @@ Security This release addresses CVE-2020-11538. -CVE-2019-11538 is regarding SGI images. An out-of-bounds read can occur in the +CVE-2020-11538 is regarding SGI images. An out-of-bounds read can occur in the parsing of SGI image files. + +CVE-2021-25289 is regarding Tiff images. A heap-based buffer overflow can occur +when decoding crafted YCbCr files. diff --git a/src/libImaging/TiffDecode.c b/src/libImaging/TiffDecode.c index c3df1174e..df5ba3fa4 100644 --- a/src/libImaging/TiffDecode.c +++ b/src/libImaging/TiffDecode.c @@ -378,6 +378,12 @@ int ImagingLibTiffDecode(Imaging im, ImagingCodecState state, UINT8* buffer, Py_ for (y = state->yoff; y < state->ysize; y += tile_length) { for (x = state->xoff; x < state->xsize; x += tile_width) { + if (!TIFFCheckTile(tiff, x, y, 0, 0)) { + TRACE(("Check Tile Error, Tile at %dx%d\n", x, y)); + state->errcode = IMAGING_CODEC_BROKEN; + TIFFClose(tiff); + return -1; + } if (ReadTile(tiff, x, y, (UINT32*) state->buffer) == -1) { TRACE(("Decode Error, Tile at %dx%d\n", x, y)); state->errcode = IMAGING_CODEC_BROKEN;