Commit Graph

11540 Commits

Author SHA1 Message Date
Andrew Murray
fc64064387 Changed mode for 16-bit palette to BGR;15 2021-04-10 22:11:20 +10:00
Andrew Murray
356681faae
Merge pull request #5393 from hugovk/test-redos
Add test for CVE-2021-25292 ReDoS
2021-04-09 23:34:11 +10:00
Hugo van Kemenade
b01fd46fe6
Merge pull request #5395 from radarhere/python3 2021-04-09 13:43:45 +03:00
Andrew Murray
714d6c8cd3 Removed shebang line 2021-04-09 19:10:53 +10:00
Andrew Murray
b8c8375d0c Use python3 in shebang line 2021-04-09 19:10:36 +10:00
Hugo van Kemenade
bde149be38 Add test for CVE-2021-25292 ReDoS 2021-04-08 23:53:22 +03:00
Hugo van Kemenade
75c111903c
Merge pull request #5382 from radarhere/rounded_rectangle
Round down the radius in rounded_rectangle
2021-04-07 19:31:19 +03:00
Andrew Murray
97207a8b19 Update CHANGES.rst [ci skip] 2021-04-07 19:20:35 +10:00
Hugo van Kemenade
eeddc06305
Merge pull request #5383 from radarhere/dds 2021-04-07 12:15:02 +03:00
Andrew Murray
d06871d543 Set mode of three channel uncompressed RGB data to RGB 2021-04-05 17:58:02 +10:00
Andrew Murray
6f87faf0ee Reversed rawmode for uncompressed RGB data 2021-04-05 17:54:34 +10:00
Andrew Murray
92edc29439 Round down the radius in rounded_rectangle 2021-04-05 08:54:06 +10:00
Hugo van Kemenade
e2ac1d1c34
Merge pull request #5380 from radarhere/accept 2021-04-03 16:23:39 +03:00
Andrew Murray
60da129d4b Replaced register_open lambdas with _accept method for consistency 2021-04-03 21:51:28 +11:00
Andrew Murray
d4f9c6e082 Renamed register_open accept methods for consistency 2021-04-03 21:51:23 +11:00
Hugo van Kemenade
ee079ae67e
Merge pull request #5378 from radarhere/fedora
Removed Fedora 32 docker job
2021-04-02 13:10:36 +03:00
Andrew Murray
ed8064df22 Removed Fedora 32 docker job 2021-04-02 18:07:03 +11:00
Hugo van Kemenade
330f77ae7a 8.3.0.dev0 version bump 2021-04-01 23:56:43 +03:00
Hugo van Kemenade
e0e353c0ef 8.2.0 version bump 2021-04-01 20:58:27 +03:00
Hugo van Kemenade
ee635befc6
Merge pull request #5377 from hugovk/security-and-release-notes
Security fixes for 8.2.0
2021-04-01 20:00:22 +03:00
Hugo van Kemenade
694c84f88f
Fix typo [ci skip]
Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
2021-04-01 20:00:13 +03:00
Hugo van Kemenade
8febdad8dd Review, typos and lint 2021-04-01 17:41:46 +03:00
Hugo van Kemenade
fea419665b Reorder, roughly alphabetic 2021-04-01 17:26:24 +03:00
Eric Soroos
496245aa43 Fix BLP DOS -- CVE-2021-28678
* BlpImagePlugin did not properly check that reads after jumping to
  file offsets returned data. This could lead to a DOS where the
  decoder could be run a large number of times on empty data
* This dates to Pillow 5.1.0
2021-04-01 17:17:35 +03:00
Eric Soroos
22e9bee4ef Fix DOS in PSDImagePlugin -- CVE-2021-28675
* PSDImagePlugin did not sanity check the number of input layers and
  vs the size of the data block, this could lead to a DOS on
  Image.open prior to Image.load.
* This issue dates to the PIL fork
2021-04-01 17:17:31 +03:00
Eric Soroos
ba65f0b08e Fix Memory DOS in ImageFont
* A corrupt or specially crafted TTF font could have font metrics that
  lead to unreasonably large sizes when rendering text in
  font. ImageFont.py did not check the image size before allocating
  memory for it.
* Found with oss-fuzz
* This dates from the PIL fork
2021-04-01 17:17:27 +03:00
Eric Soroos
bb6c11fb88 Fix FLI DOS -- CVE-2021-28676
* FliDecode did not properly check that the block advance was
  non-zero, potentally leading to an infinite loop on load.
* This dates to the PIL Fork
* Found with oss-fuzz
2021-04-01 17:17:23 +03:00
Eric Soroos
5a5e6db0ab Fix EPS DOS on _open -- CVE-2021-28677
* The readline used in EPS has to deal with any combination of \r and
  \n as line endings. It used an accidentally quadratic method of
  accumulating lines while looking for a line ending.
* A malicious EPS file could use this to perform a DOS of Pillow in
  the open phase, before an image was accepted for opening.
* This dates to the PIL Fork
2021-04-01 17:17:18 +03:00
Eric Soroos
3bf5eddb89 Fix OOB Read in Jpeg2KDecode CVE-2021-25287,CVE-2021-25288
* For J2k images with multiple bands, it's legal in to have different
  widths for each band, e.g. 1 byte for L, 4 bytes for A
* This dates to Pillow 2.4.0
2021-04-01 17:17:13 +03:00
Hugo van Kemenade
8ec027867f Add security release notes 2021-04-01 17:15:44 +03:00
Hugo van Kemenade
ef5f294d74
Merge pull request #5376 from radarhere/xmp 2021-04-01 15:38:11 +03:00
Andrew Murray
ae7110a85d Added release notes [ci skip] 2021-04-01 23:18:30 +11:00
Andrew Murray
e12d5042ad Adjusted docstring 2021-04-01 22:28:42 +11:00
Andrew Murray
2c8684c525 Moved getxmp() into JpegImageFile 2021-04-01 22:28:37 +11:00
Andrew Murray
43c41720e9 Update CHANGES.rst [ci skip] 2021-04-01 21:40:53 +11:00
Hugo van Kemenade
6812205f18
Merge pull request #5144 from UrielMaD/feature_xmp 2021-04-01 12:44:47 +03:00
Hugo van Kemenade
b90c73f08d
Merge pull request #5373 from wiredfool/valgrind_test_warnings
Fix pytest valgrind warnings
2021-04-01 12:17:50 +03:00
Hugo van Kemenade
cafd389770
Merge pull request #5359 from nulano/libtiff-cmake 2021-04-01 12:03:42 +03:00
Hugo van Kemenade
8c852e44f0
Merge pull request #5349 from latosha-maltba/master 2021-04-01 11:55:37 +03:00
Andrew Murray
37f9fcf93b Removed unused imports 2021-04-01 12:57:34 +11:00
Andrew Murray
682e3e2f69 Update CHANGES.rst [ci skip] 2021-04-01 11:53:33 +11:00
Andrew Murray
9afa64a36f
Merge pull request #5371 from hugovk/fix-link
Docs: Fix link in release notes
2021-04-01 11:43:32 +11:00
wiredfool
60dbc10cee
Merge pull request #5372 from wiredfool/tiff-crash-fixes
Fix recent Tiff crashes in TiffDecode.c
2021-03-31 22:53:58 +01:00
Eric Soroos
87934e22d0 Fix for crash-0da0 2021-03-31 23:24:30 +02:00
Eric Soroos
53c80281d7 fix for crash-8115 2021-03-31 22:23:57 +02:00
Eric Soroos
45530d5ce1 fixes crash-74d2 2021-03-31 22:23:57 +02:00
wiredfool
4044ecc1fb
Merge pull request #5366 from kkopachev/kk-remove-extra-check
Remove redundant check (addition to #5364)
2021-03-31 20:54:07 +01:00
Eric Soroos
22a6893364 Fix pytest valgrind warnings 2021-03-31 21:28:15 +02:00
Hugo van Kemenade
95ac35d287 Fix RST link [ci skip] 2021-03-31 21:28:29 +03:00
Hugo van Kemenade
c54a7bb031
Merge pull request #5333 from radarhere/gif_frame_transparency 2021-03-31 18:08:11 +03:00