3.1.1

CVE-2016-0740 – Buffer overflow in TiffDecode.c

Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64may overflow a buffer when reading a specially crafted tiff file.

Specifically, libtiff >= 4.0.0 changed the return type ofTIFFScanlineSize from int32 to machine dependentint32|64. If the scanline is sized so that it overflows anint32, it may be interpreted as a negative number, which will thenpass the size check in TiffDecode.c line 236. To do this, thelogical scanline size has to be > 2gb, and for the test file, theallocated buffer size is 64k against a roughly 4gb scan line size. Anyimage data over 64k is written over the heap, causing a segfault.

This issue was found by security researcher FourOne.

CVE-2016-0775 – Buffer overflow in FliDecode.c

In all versions of Pillow, dating back at least to the last PIL 1.1.7release, FliDecode.c has a buffer overflow error.

Around line 192:

  1. case 16:
  2.     /* COPY chunk */
  3.     for (y = 0; y < state->ysize; y++) {
  4.         UINT8* buf = (UINT8*) im->image[y];
  5.         memcpy(buf+x, data, state->xsize);
  6.         data += state->xsize;
  7.     }
  8.     break;

The memcpy has error where x is added to the target bufferaddress. X is used in several internal temporary variable roles,but can take a value up to the width of the image. Im->image[y]is a set of row pointers to segments of memory that are the size ofthe row. At the max y, this will write the contents of the lineoff the end of the memory buffer, causing a segfault.

This issue was found by Alyssa Besseling at Atlassian

CVE-2016-2533 – Buffer overflow in PcdDecode.c

In all versions of Pillow, dating back at least to the last PIL 1.1.7release, PcdDecode.c has a buffer overflow error.

The state.buffer for PcdDecode.c is allocated based on a 3bytes per pixel sizing, where PcdDecode.c wrote into the bufferassuming 4 bytes per pixel. This writes 768 bytes beyond the end ofthe buffer into other Python object storage. In some cases, thiscauses a segfault, in others an internal Python malloc error.

Integer overflow in Resample.c

If a large value was passed into the new size for an image, it ispossible to overflow an int32 value passed into malloc.


kk = malloc(xsize kmax sizeof(float));

xbounds = malloc(xsize 2 sizeof(int));

xsize is trusted user input. These multiplications can overflow,leading the malloc’d buffer to be undersized. These allocations arefollowed by a loop that writes out of bounds. This can lead tocorruption on the heap of the Python process with attacker controlledfloat data.

This issue was found by Ned Williamson.