Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix TIFF OOB Write error #5175

Merged
merged 2 commits into from Jan 2, 2021
Merged

Fix TIFF OOB Write error #5175

merged 2 commits into from Jan 2, 2021

Conversation

radarhere
Copy link
Member

CVE-2020-35654 - OOB Write in TiffDecode.c when reading corrupt YCbCr files in some LibTiff versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases libtiff's interpretation of the file is different when reading in RGBA mode, leading to an Out of bounds write in TiffDecode.c. This potentially affects Pillow versions from 6.0.0 to 8.0.1, depending on the version of LibTiff. This was reported through Tidelift.

* In some circumstances with some versions of libtiff (4.1.0+), there
  could be a 4 byte out of bound write when decoding a YCbCr tiff.
* The Pillow code dates to 6.0.0
* Found and reported through Tidelift
* Don't malloc for the swap line, just shuffle backwards
* Ensure that im->pixelsize is sanity checked
* Ensure that we're using the right size for the buffer from TiffReadRGBATile
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants