3.3.2
=====

Integer overflow in Map.c
-------------------------

Pillow prior to 3.3.2 may experience integer overflow errors in map.c
when reading specially crafted image files. This may lead to memory
disclosure or corruption.

Specifically, when parameters from the image are passed into
``Image.core.map_buffer``, the size of the image was calculated with
``xsize`` * ``ysize`` * ``bytes_per_pixel``. This will overflow if the
result is larger than SIZE_MAX. This is possible on a 32-bit system.

Furthermore this ``size`` value was added to a potentially attacker
provided ``offset`` value and compared to the size of the buffer
without checking for overflow or negative values.

These values were then used for creating pointers, at which point
Pillow could read the memory and include it in other images. The image
was marked readonly, so Pillow would not ordinarily write to that
memory without duplicating the image first.

This issue was found by Cris Neckar at Divergent Security.

Sign Extension in Storage.c
---------------------------

Pillow prior to 3.3.2 and PIL 1.1.7 (at least) do not check for
negative image sizes in ``ImagingNew`` in ``Storage.c``. A negative
image size can lead to a smaller allocation than expected, leading to
arbitrary writes.

This issue was found by Cris Neckar at Divergent Security.