Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for Buffer Read Overrun in PCX Decoding #5174

Merged
merged 2 commits into from Jan 2, 2021

Conversation

radarhere
Copy link
Member

@radarhere radarhere commented Jan 2, 2021

CVE-2020-35653 - Buffer Read Overrun in PCX Decoding. The PCX Image decoder used the reported image stride to calculate the row buffer, rather than calculating it from the image size. This issue dates back to the PIL fork. Thanks to Google's OSS-Fuzz project for finding this.

wiredfool and others added 2 commits Jan 2, 2021
* Don't trust the image to specify a buffer size
@radarhere radarhere merged commit 0117694 into python-pillow:master Jan 2, 2021
50 checks passed
@radarhere radarhere deleted the pcx branch Jan 2, 2021
@radarhere radarhere changed the title Fix for Read Overflow in PCX Decoding Fix for Buffer Read Overrun in PCX Decoding Jan 2, 2021
earthgecko added a commit to earthgecko/skyline that referenced this pull request Jan 15, 2021
IssueID #3940: SNYK-PYTHON-PILLOW-1055461 and SNYK-PYTHON-PILLOW-1055462

- Added Pillow==8.1.0 as matplotlib@3.3.3 introduced pillow@8.0.1 and Pillow is
  now fixed at 8.1.0 as per:
  https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1055461
  https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1055462
  python-pillow/Pillow#5174 which fixes CVE-2020-35653
  and CVE-2020-35655

Modified:
dev-requirements.txt
requirements.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants