Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix TIFF OOB Write error #5175

merged 2 commits into from Jan 2, 2021

Fix TIFF OOB Write error #5175

merged 2 commits into from Jan 2, 2021


Copy link

@radarhere radarhere commented Jan 2, 2021

CVE-2020-35654 - OOB Write in TiffDecode.c when reading corrupt YCbCr files in some LibTiff versions (4.1.0/Ubuntu 20.04, but not 4.0.9/Ubuntu 18.04). In some cases libtiff's interpretation of the file is different when reading in RGBA mode, leading to an Out of bounds write in TiffDecode.c. This potentially affects Pillow versions from 6.0.0 to 8.0.1, depending on the version of LibTiff. This was reported through Tidelift.

wiredfool added 2 commits Jan 2, 2021
* In some circumstances with some versions of libtiff (4.1.0+), there
  could be a 4 byte out of bound write when decoding a YCbCr tiff.
* The Pillow code dates to 6.0.0
* Found and reported through Tidelift
* Don't malloc for the swap line, just shuffle backwards
* Ensure that im->pixelsize is sanity checked
* Ensure that we're using the right size for the buffer from TiffReadRGBATile
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

Successfully merging this pull request may close these issues.

None yet

2 participants