mirror of
				https://github.com/python-pillow/Pillow.git
				synced 2025-10-25 13:11:24 +03:00 
			
		
		
		
	
		
			
				
	
	
		
			39 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
			
		
		
	
	
			39 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
| 3.3.2
 | |
| -----
 | |
| 
 | |
| Security
 | |
| ========
 | |
| 
 | |
| Integer overflow in map.c
 | |
| ^^^^^^^^^^^^^^^^^^^^^^^^^
 | |
| 
 | |
| Pillow prior to 3.3.2 may experience integer overflow errors in map.c
 | |
| when reading specially crafted image files. This may lead to memory
 | |
| disclosure or corruption.
 | |
| 
 | |
| Specifically, when parameters from the image are passed into
 | |
| ``Image.core.map_buffer``, the size of the image was calculated with
 | |
| ``xsize`` * ``ysize`` * ``bytes_per_pixel``. This will overflow if the
 | |
| result is larger than SIZE_MAX. This is possible on a 32-bit system.
 | |
| 
 | |
| Furthermore this ``size`` value was added to a potentially attacker
 | |
| provided ``offset`` value and compared to the size of the buffer
 | |
| without checking for overflow or negative values.
 | |
| 
 | |
| These values were then used for creating pointers, at which point
 | |
| Pillow could read the memory and include it in other images. The image
 | |
| was marked readonly, so Pillow would not ordinarily write to that
 | |
| memory without duplicating the image first.
 | |
| 
 | |
| This issue was found by Cris Neckar at Divergent Security.
 | |
| 
 | |
| Sign extension in Storage.c
 | |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 | |
| 
 | |
| Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for
 | |
| negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative
 | |
| image size can lead to a smaller allocation than expected, leading to
 | |
| arbitrary writes.
 | |
| 
 | |
| This issue was found by Cris Neckar at Divergent Security.
 |