Python Pillow 3.3.1 Overflow Obtain Information Vulnerability
17 Feb. 2017
Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component.
Pillow prior to 3.3.2 may experience integer overflow errors in map.c when reading specially crafted image files. This may lead to memory disclosure or corruption.
Specifically, when parameters from the image are passed into Image.core.map_buffer, the size of the image was calculated with xsize``*``ysize``*``bytes_per_pixel. This will overflow if the result is larger than SIZE_MAX. This is possible on a 32-bit system.
Furthermore this size value was added to a potentially attacker provided offset value and compared to the size of the buffer without checking for overflow or negative values.
These values were then used for creating pointers, at which point Pillow could read the memory and include it in other images. The image was marked readonly, so Pillow would not ordinarily write to that memory without duplicating the image first.