Added release notes for 9.1.1

Author: radarhere

CHANGES.rst

@@ -2,6 +2,15 @@
 Changelog (Pillow)
 ==================
 
+9.1.1 (unreleased)
+------------------
+
+- When reading past the end of a TGA scan line, reduce bytes left. CVE-2022-30595
+  [radarhere]
+
+- Do not open images with zero or negative height #6269
+  [radarhere]
+
 9.1.0 (2022-04-01)
 ------------------
 

docs/releasenotes/9.1.1.rst

@@ -0,0 +1,16 @@
+9.1.1
+-----
+
+Security
+========
+
+This release addresses several security problems.
+
+:cve:`CVE-2022-30595`: When reading a TGA file with RLE packets that cross scan lines,
+Pillow reads the information past the end of the first line without deducting that
+from the length of the remaining file data. This vulnerability was introduced in Pillow
+9.1.0, and can cause a heap buffer overflow.
+
+Opening an image with a zero or negative height has been found to bypass a
+decompression bomb check. This will now raise a :py:exc:`SyntaxError` instead, in turn
+raising a ``PIL.UnidentifiedImageError``.

docs/releasenotes/index.rst

@@ -14,6 +14,7 @@ expected to be backported to earlier versions.
 .. toctree::
   :maxdepth: 2
 
+  9.1.1
   9.1.0
   9.0.1
   9.0.0