Pillow Security Bulletin: Fixes for Decompression Bomb, OOB, Infinite Loop, and Integer Overflow

Vulnerability Overview 1. FITS Decompression Bomb Vulnerability - Description: When decompressing GZIP data, Pillow does not limit the amount of data read, leading to the risk of a GZIP decompression bomb. - Fix: Limit the amount of data read to only necessary data. 2. OOB Write Vulnerability with Invalid File Extension - Description: Pillow 12.1.1 added improved checks for crafted PSD images to prevent OOB writes. Previous versions (>= 10.3.0) did not account for integer overflow. - Fix: Add improved checks to prevent OOB writes. 3. Infinite Loop Vulnerability in PDF Parsing - Description: When parsing PDFs, if there are circular references or more complex loops, it can result in an infinite loop. - Fix: Record processed trailers to prevent infinite loops. 4. Integer Overflow Vulnerability in Font Handling - Description: When a font contains a large number of characters, tracking the current position may lead to integer overflow. - Fix: Fix the integer overflow issue. 5. Heap Buffer Overflow Vulnerability from Nested List Coordinates - Description: Passing nested lists as coordinates to APIs that accept coordinates (such as , , and ) may cause a heap buffer overflow. - Fix: Validate that the coordinate list contains exactly two numeric values. Impact Scope FITS Decompression Bomb Vulnerability: Affects all scenarios where Pillow processes GZIP data. OOB Write Vulnerability with Invalid File Extension: Affects scenarios where Pillow processes crafted PSD images. Infinite Loop Vulnerability in PDF Parsing: Affects scenarios where Pillow parses PDFs. Integer Overflow Vulnerability in Font Handling: Affects scenarios where Pillow processes fonts. Heap Buffer Overflow Vulnerability from Nested List Coordinates: Affects scenarios where Pillow processes nested list coordinates. Fixes FITS Decompression Bomb Vulnerability: Limit the amount of data read. OOB Write Vulnerability with Invalid File Extension: Add improved checks. Infinite Loop Vulnerability in PDF Parsing: Record processed trailers. Integer Overflow Vulnerability in Font Handling: Fix the integer overflow issue. Heap Buffer Overflow Vulnerability from Nested List Coordinates: Validate coordinate lists. POC Code or Exploit Code No specific POC code or exploit code is provided on the page.

Goal Reached Thanks to every supporter — we hit 100%!

Pillow Security Bulletin: Fixes for Decompression Bomb, OOB, Infinite Loop, and Integer Overflow