3.3.2
Integer overflow in Map.c
Pillow prior to 3.3.2 may experience integer overflow errors in map.cwhen reading specially crafted image files. This may lead to memorydisclosure or corruption.
Specifically, when parameters from the image are passed intoImage.core.map_buffer
, the size of the image was calculated withxsize
ysize
bytes_per_pixel
. This will overflow if theresult is larger than SIZE_MAX. This is possible on a 32-bit system.
Furthermore this size
value was added to a potentially attackerprovided offset
value and compared to the size of the bufferwithout checking for overflow or negative values.
These values were then used for creating pointers, at which pointPillow could read the memory and include it in other images. The imagewas marked readonly, so Pillow would not ordinarily write to thatmemory without duplicating the image first.
This issue was found by Cris Neckar at Divergent Security.
Sign Extension in Storage.c
Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check fornegative image sizes in ImagingNew
in Storage.c
. A negativeimage size can lead to a smaller allocation than expected, leading toarbitrary writes.
This issue was found by Cris Neckar at Divergent Security.