diff --git a/CHANGES.rst b/CHANGES.rst index ca852f1de..ab7fba7e8 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -1,6 +1,16 @@ Changelog (Pillow) ================== +3.3.2 (2016-10-03) +------------------ + +- Fix negative image sizes in Storage.c #2105 + [wiredfool] + +- Fix integer overflow in map.c #2105 + [wiredfool] + + 3.3.1 (2016-08-18) ------------------ diff --git a/docs/releasenotes/3.3.2.rst b/docs/releasenotes/3.3.2.rst new file mode 100644 index 000000000..141413093 --- /dev/null +++ b/docs/releasenotes/3.3.2.rst @@ -0,0 +1,40 @@ + +3.3.2 +===== + +Integer overflow in Map.c +------------------------- + +Pillow prior to 3.3.2 may experience integer overflow errors in map.c +when reading specially crafted image files. This may lead to memory +disclosure or corruption. + +Specifically, when parameters from the image are passed into +``Image.core.map_buffer``, the size of the image was calculated with +``xsize``*``ysize``*``bytes_per_pixel``. This will overflow if the +result is larger than SIZE_MAX. This is possible on a 32-bit system. + +Furthermore this ``size`` value was added to a potentially attacker +provided ``offset`` value and compared to the size of the buffer +without checking for overflow or negative values. + +These values were then used for creating pointers, at which point +Pillow could read the memory and include it in other images. The image +was marked readonly, so Pillow would not ordinarily write to that +memory without duplicating the image first. + +This issue was found by Cris Neckar at Divergent Security. + +Sign Extension in Storage.c +--------------------------- + +Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for +negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative +image size can lead to a smaller allocation than expected, leading to +arbitrary writes. + +This issue was found by Cris Neckar at Divergent Security. + + + + diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst index f38b9fbfa..ef7b0df86 100644 --- a/docs/releasenotes/index.rst +++ b/docs/releasenotes/index.rst @@ -6,6 +6,7 @@ Release Notes .. toctree:: :maxdepth: 2 + 3.3.2 3.3.0 3.2.0 3.1.2