FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-pillow -- Buffer overflow in TIFF decoding code

Affected packages
py27-pillow < 2.9.0_1
py33-pillow < 2.9.0_1
py34-pillow < 2.9.0_1
py35-pillow < 2.9.0_1

Details

VuXML ID 53252879-cf11-11e5-805c-5453ed2e2b49
Discovery 2016-02-04
Entry 2016-02-09

The Pillow maintainers report:

Pillow 3.1.0 and earlier when linked against libtiff >= 4.0.0 on x64 may overflow a buffer when reading a specially crafted tiff file.

Specifically, libtiff >= 4.0.0 changed the return type of TIFFScanlineSize from int32 to machine dependent int32|64. If the scanline is sized so that it overflows an int32, it may be interpreted as a negative number, which will then pass the size check in TiffDecode.c line 236. To do this, the logical scanline size has to be > 2gb, and for the test file, the allocated buffer size is 64k against a roughly 4gb scan line size. Any image data over 64k is written over the heap, causing a segfault.

This issue was found by security researcher FourOne.

References

CVE Name CVE-2016-0740
URL https://github.com/python-pillow/Pillow/commit/6dcbf5bd96b717c58d7b642949da8d323099928e