FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-imaging, py-pillow -- Buffer overflow in PCD decoder

Affected packages
py27-pillow < 2.9.0_1
py33-pillow < 2.9.0_1
py34-pillow < 2.9.0_1
py35-pillow < 2.9.0_1
py27-imaging < 1.1.7_6

Details

VuXML ID a8de962a-cf15-11e5-805c-5453ed2e2b49
Discovery 2016-02-02
Entry 2016-02-09

The Pillow maintainers report:

In all versions of Pillow, dating back at least to the last PIL 1.1.7 release, PcdDecode.c has a buffer overflow error.

The state.buffer for PcdDecode.c is allocated based on a 3 bytes per pixel sizing, where PcdDecode.c wrote into the buffer assuming 4 bytes per pixel. This writes 768 bytes beyond the end of the buffer into other Python object storage. In some cases, this causes a segfault, in others an internal Python malloc error.

References

Message http://openwall.com/lists/oss-security/2016/02/02/5
URL https://github.com/python-pillow/Pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4
URL https://github.com/python-pillow/Pillow/issues/568