mirror of
https://github.com/python-pillow/Pillow.git
synced 2025-11-01 00:17:27 +03:00
39 lines
1.3 KiB
ReStructuredText
39 lines
1.3 KiB
ReStructuredText
3.3.2
|
|
-----
|
|
|
|
Security
|
|
========
|
|
|
|
Integer overflow in map.c
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
Pillow prior to 3.3.2 may experience integer overflow errors in map.c
|
|
when reading specially crafted image files. This may lead to memory
|
|
disclosure or corruption.
|
|
|
|
Specifically, when parameters from the image are passed into
|
|
``Image.core.map_buffer``, the size of the image was calculated with
|
|
``xsize`` * ``ysize`` * ``bytes_per_pixel``. This will overflow if the
|
|
result is larger than SIZE_MAX. This is possible on a 32-bit system.
|
|
|
|
Furthermore this ``size`` value was added to a potentially attacker
|
|
provided ``offset`` value and compared to the size of the buffer
|
|
without checking for overflow or negative values.
|
|
|
|
These values were then used for creating pointers, at which point
|
|
Pillow could read the memory and include it in other images. The image
|
|
was marked readonly, so Pillow would not ordinarily write to that
|
|
memory without duplicating the image first.
|
|
|
|
This issue was found by Cris Neckar at Divergent Security.
|
|
|
|
Sign extension in Storage.c
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for
|
|
negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative
|
|
image size can lead to a smaller allocation than expected, leading to
|
|
arbitrary writes.
|
|
|
|
This issue was found by Cris Neckar at Divergent Security.
|