A heap-buffer-overflow at Pillow/src/libImaging/Unpack.c:467:50 in unpackP4L

[Wakotu]

Hello, a heap-buffer-overflow reported by ASAN when I fuzz Pillow with google/atheris.

Environment

• Pillow version: 7.1.2
• Python version: Python 3.8.10
• OS version: Ubuntu 20.04.6 LTS

Output

fuzz driver:

import atheris
import io
import sys

with atheris.instrument_imports():
    from PIL import Image

def fuzz_image(data):
    try:
        # Attempt to open the image from the fuzzed data
        image = Image.open(io.BytesIO(data))
        image.load()  # Trigger image processing
    except Exception as e:
        # Handle exceptions (e.g., print or log)
        pass

def main():
    atheris.Setup(sys.argv, fuzz_image)
    atheris.Fuzz()

if __name__ == "__main__":
    main()

error log:
error.log

trigger input:
trigger.txt

Steps to Reproduce

Pull the docker image and run it to a container.

docker pull vueko0/pillow_crash:v1
docker run --rm vueko0/pillow_crash:v1

Enter the container and run following commands:

cd ~/Pillow/
./crash.sh

[hugovk]

Pillow 7.1.2 was released in April 2020: https://pypi.org/project/pillow/7.1.2/

Also Python 3.8 is no longer supported.

Can you reproduce with the latest Pillow 11.1.0 on Python 3.9 or later?

And for next time, please follow our security policy regarding security issues:

https://github.com/python-pillow/Pillow/blob/main/.github/SECURITY.md

[Wakotu]

Ok, I would try later.

[radarhere]

I would conclude this has found https://nvd.nist.gov/vuln/detail/cve-2020-35653, which was fixed by #5174 in Pillow 8.1.0

This problem is actually mentioned in the atheris repository itself - https://github.com/google/atheris/blob/master/hall_of_fame.md

[Wakotu]

Thanks for your work.

[hugovk]

(Reclosing as duplicate)