FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-pillow -- Integer overflow in Resample.c

Affected packages
py27-pillow < 2.9.0_1
py33-pillow < 2.9.0_1
py34-pillow < 2.9.0_1
py35-pillow < 2.9.0_1

Details

VuXML ID 0519db18-cf15-11e5-805c-5453ed2e2b49
Discovery 2016-02-05
Entry 2016-02-09

The Pillow maintainers report:

If a large value was passed into the new size for an image, it is possible to overflow an int32 value passed into malloc, leading the malloc’d buffer to be undersized. These allocations are followed by a loop that writes out of bounds. This can lead to corruption on the heap of the Python process with attacker controlled float data.

This issue was found by Ned Williamson.

References

URL https://github.com/python-pillow/Pillow/commit/41fae6d9e2da741d2c5464775c7f1a609ea03798
URL https://github.com/python-pillow/Pillow/issues/1710