<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>3.1.1 — Pillow (PIL Fork) 5.4.1 documentation</title>
<script type="text/javascript" src="../_static/js/modernizr.min.js"></script>
<script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="../_static/language_data.js"></script>
<script type="text/javascript" src="../_static/js/script.js"></script>
<script type="text/javascript" src="../_static/js/theme.js"></script>
<link rel="stylesheet" href="../_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="author" title="About these documents" href="../about.html" />
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="3.1.0" href="3.1.0.html" />
<link rel="prev" title="3.1.2" href="3.1.2.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="../index.html" class="icon icon-home"> Pillow (PIL Fork)
</a>
<div class="version">
5.4.1
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../installation.html">Installation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../handbook/index.html">Handbook</a></li>
<li class="toctree-l1"><a class="reference internal" href="../reference/index.html">Reference</a></li>
<li class="toctree-l1"><a class="reference internal" href="../porting.html">Porting</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">About</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Release Notes</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="5.4.1.html">5.4.1</a></li>
<li class="toctree-l2"><a class="reference internal" href="5.4.0.html">5.4.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="5.3.0.html">5.3.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="5.2.0.html">5.2.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="5.1.0.html">5.1.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="5.0.0.html">5.0.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.3.0.html">4.3.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.2.1.html">4.2.1</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.2.0.html">4.2.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.1.1.html">4.1.1</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.1.0.html">4.1.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.0.0.html">4.0.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.4.0.html">3.4.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.3.2.html">3.3.2</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.3.0.html">3.3.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.2.0.html">3.2.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.1.2.html">3.1.2</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">3.1.1</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#cve-2016-0740-buffer-overflow-in-tiffdecode-c">CVE-2016-0740 – Buffer overflow in TiffDecode.c</a></li>
<li class="toctree-l3"><a class="reference internal" href="#cve-2016-0775-buffer-overflow-in-flidecode-c">CVE-2016-0775 – Buffer overflow in FliDecode.c</a></li>
<li class="toctree-l3"><a class="reference internal" href="#cve-2016-2533-buffer-overflow-in-pcddecode-c">CVE-2016-2533 – Buffer overflow in PcdDecode.c</a></li>
<li class="toctree-l3"><a class="reference internal" href="#integer-overflow-in-resample-c">Integer overflow in Resample.c</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="3.1.0.html">3.1.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.0.0.html">3.0.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="2.8.0.html">2.8.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="2.7.0.html">2.7.0</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../deprecations.html">Deprecations and removals</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">Pillow (PIL Fork)</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html">Docs</a> »</li>
<li><a href="index.html">Release Notes</a> »</li>
<li>3.1.1</li>
<li class="wy-breadcrumbs-aside">
<a href="../_sources/releasenotes/3.1.1.rst.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<div class="section" id="id1">
<h1>3.1.1<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h1>
<div class="section" id="cve-2016-0740-buffer-overflow-in-tiffdecode-c">
<h2>CVE-2016-0740 – Buffer overflow in TiffDecode.c<a class="headerlink" href="#cve-2016-0740-buffer-overflow-in-tiffdecode-c" title="Permalink to this headline">¶</a></h2>
<p>Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64
may overflow a buffer when reading a specially crafted tiff file.</p>
<p>Specifically, libtiff >= 4.0.0 changed the return type of
<code class="docutils literal notranslate"><span class="pre">TIFFScanlineSize</span></code> from <code class="docutils literal notranslate"><span class="pre">int32</span></code> to machine dependent
<code class="docutils literal notranslate"><span class="pre">int32|64</span></code>. If the scanline is sized so that it overflows an
<code class="docutils literal notranslate"><span class="pre">int32</span></code>, it may be interpreted as a negative number, which will then
pass the size check in <code class="docutils literal notranslate"><span class="pre">TiffDecode.c</span></code> line 236. To do this, the
logical scanline size has to be > 2gb, and for the test file, the
allocated buffer size is 64k against a roughly 4gb scan line size. Any
image data over 64k is written over the heap, causing a segfault.</p>
<p>This issue was found by security researcher FourOne.</p>
</div>
<div class="section" id="cve-2016-0775-buffer-overflow-in-flidecode-c">
<h2>CVE-2016-0775 – Buffer overflow in FliDecode.c<a class="headerlink" href="#cve-2016-0775-buffer-overflow-in-flidecode-c" title="Permalink to this headline">¶</a></h2>
<p>In all versions of Pillow, dating back at least to the last PIL 1.1.7
release, FliDecode.c has a buffer overflow error.</p>
<p>Around line 192:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">case</span> <span class="mi">16</span><span class="p">:</span>
<span class="o">/*</span> <span class="n">COPY</span> <span class="n">chunk</span> <span class="o">*/</span>
<span class="k">for</span> <span class="p">(</span><span class="n">y</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">y</span> <span class="o"><</span> <span class="n">state</span><span class="o">-></span><span class="n">ysize</span><span class="p">;</span> <span class="n">y</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="n">UINT8</span><span class="o">*</span> <span class="n">buf</span> <span class="o">=</span> <span class="p">(</span><span class="n">UINT8</span><span class="o">*</span><span class="p">)</span> <span class="n">im</span><span class="o">-></span><span class="n">image</span><span class="p">[</span><span class="n">y</span><span class="p">];</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">buf</span><span class="o">+</span><span class="n">x</span><span class="p">,</span> <span class="n">data</span><span class="p">,</span> <span class="n">state</span><span class="o">-></span><span class="n">xsize</span><span class="p">);</span>
<span class="n">data</span> <span class="o">+=</span> <span class="n">state</span><span class="o">-></span><span class="n">xsize</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">break</span><span class="p">;</span>
</pre></div>
</div>
<p>The memcpy has error where <code class="docutils literal notranslate"><span class="pre">x</span></code> is added to the target buffer
address. <code class="docutils literal notranslate"><span class="pre">X</span></code> is used in several internal temporary variable roles,
but can take a value up to the width of the image. <code class="docutils literal notranslate"><span class="pre">Im->image[y]</span></code>
is a set of row pointers to segments of memory that are the size of
the row. At the max <code class="docutils literal notranslate"><span class="pre">y</span></code>, this will write the contents of the line
off the end of the memory buffer, causing a segfault.</p>
<p>This issue was found by Alyssa Besseling at Atlassian</p>
</div>
<div class="section" id="cve-2016-2533-buffer-overflow-in-pcddecode-c">
<h2>CVE-2016-2533 – Buffer overflow in PcdDecode.c<a class="headerlink" href="#cve-2016-2533-buffer-overflow-in-pcddecode-c" title="Permalink to this headline">¶</a></h2>
<p>In all versions of Pillow, dating back at least to the last PIL 1.1.7
release, <code class="docutils literal notranslate"><span class="pre">PcdDecode.c</span></code> has a buffer overflow error.</p>
<p>The <code class="docutils literal notranslate"><span class="pre">state.buffer</span></code> for <code class="docutils literal notranslate"><span class="pre">PcdDecode.c</span></code> is allocated based on a 3
bytes per pixel sizing, where <code class="docutils literal notranslate"><span class="pre">PcdDecode.c</span></code> wrote into the buffer
assuming 4 bytes per pixel. This writes 768 bytes beyond the end of
the buffer into other Python object storage. In some cases, this
causes a segfault, in others an internal Python malloc error.</p>
</div>
<div class="section" id="integer-overflow-in-resample-c">
<h2>Integer overflow in Resample.c<a class="headerlink" href="#integer-overflow-in-resample-c" title="Permalink to this headline">¶</a></h2>
<p>If a large value was passed into the new size for an image, it is
possible to overflow an int32 value passed into malloc.</p>
<blockquote>
<div>kk = malloc(xsize * kmax * sizeof(float));
…
xbounds = malloc(xsize * 2 * sizeof(int));</div></blockquote>
<p><code class="docutils literal notranslate"><span class="pre">xsize</span></code> is trusted user input. These multiplications can overflow,
leading the malloc’d buffer to be undersized. These allocations are
followed by a loop that writes out of bounds. This can lead to
corruption on the heap of the Python process with attacker controlled
float data.</p>
<p>This issue was found by Ned Williamson.</p>
</div>
</div>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="3.1.0.html" class="btn btn-neutral float-right" title="3.1.0" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a>
<a href="3.1.2.html" class="btn btn-neutral float-left" title="3.1.2" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<p>
© Copyright 1995-2011 Fredrik Lundh, 2010-2018 Alex Clark and Contributors
</p>
</div>
Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
