9.1.1 version bump

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: fc0be6eb1e2a96091e6f64009ee5e9081bf8b6c6  # frozen: 22.1.0
+    rev: 22.3.0
     hooks:
       - id: black
         args: ["--target-version", "py37"]
@@ -9,35 +9,35 @@ repos:
         types: []
 
   - repo: https://github.com/PyCQA/isort
-    rev: c5e8fa75dda5f764d20f66a215d71c21cfa198e1  # frozen: 5.10.1
+    rev: 5.10.1
     hooks:
       - id: isort
 
   - repo: https://github.com/asottile/yesqa
-    rev: 35cf7dc24fa922927caded7a21b2a8cb04bf8e10  # frozen: v1.3.0
+    rev: v1.3.0
     hooks:
       - id: yesqa
 
   - repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: ca52c4245639abd55c970e6bbbca95cab3de22d8  # frozen: v1.1.13
+    rev: v1.2.0
     hooks:
       - id: remove-tabs
         exclude: (Makefile$|\.bat$|\.cmake$|\.eps$|\.fits$|\.opt$)
 
   - repo: https://github.com/PyCQA/flake8
-    rev: cbeb4c9c4137cff1568659fcc48e8b85cddd0c8d  # frozen: 4.0.1
+    rev: 4.0.1
     hooks:
       - id: flake8
         additional_dependencies: [flake8-2020, flake8-implicit-str-concat]
 
   - repo: https://github.com/pre-commit/pygrep-hooks
-    rev: 6f51a66bba59954917140ec2eeeaa4d5e630e6ce  # frozen: v1.9.0
+    rev: v1.9.0
     hooks:
       - id: python-check-blanket-noqa
       - id: rst-backticks
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: 8fe62d14e0b4d7d845a7022c5c2c3ae41bdd3f26  # frozen: v4.1.0
+    rev: v4.2.0
     hooks:
       - id: check-merge-conflict
       - id: check-yaml

CHANGES.rst

@@ -2,6 +2,15 @@
 Changelog (Pillow)
 ==================
 
+9.1.1 (unreleased)
+------------------
+
+- When reading past the end of a TGA scan line, reduce bytes left. CVE-2022-30595
+  [radarhere]
+
+- Do not open images with zero or negative height #6269
+  [radarhere]
+
 9.1.0 (2022-04-01)
 ------------------
 

Tests/test_file_libtiff.py

@@ -18,6 +18,7 @@ from .helper import (
     hopper,
     mark_if_feature_version,
     skip_unless_feature,
+    skip_unless_feature_version,
 )
 
 
@@ -991,6 +992,7 @@ class TestFileLibTiff(LibTiffTestCase):
         with Image.open(out) as im:
             im.load()
 
+    @skip_unless_feature_version("libtiff", "4.0.4")
     def test_realloc_overflow(self):
         TiffImagePlugin.READ_LIBTIFF = True
         with Image.open("Tests/images/tiff_overflow_rows_per_strip.tif") as im:

Tests/test_file_tga.py

@@ -101,6 +101,10 @@ def test_cross_scan_line():
     with Image.open("Tests/images/cross_scan_line.tga") as im:
         assert_image_equal_tofile(im, "Tests/images/cross_scan_line.png")
 
+    with Image.open("Tests/images/cross_scan_line_truncated.tga") as im:
+        with pytest.raises(OSError):
+            im.load()
+
 
 def test_save(tmp_path):
     test_file = "Tests/images/tga_id_field.tga"

Tests/test_imagefile.py

@@ -2,7 +2,15 @@ from io import BytesIO
 
 import pytest
 
-from PIL import BmpImagePlugin, EpsImagePlugin, Image, ImageFile, _binary, features
+from PIL import (
+    BmpImagePlugin,
+    EpsImagePlugin,
+    Image,
+    ImageFile,
+    UnidentifiedImageError,
+    _binary,
+    features,
+)
 
 from .helper import (
     assert_image,
@@ -377,3 +385,7 @@ class TestPyEncoder(CodecsTest):
 
         with pytest.raises(NotImplementedError):
             encoder.encode_to_file(None, None)
+
+    def test_zero_height(self):
+        with pytest.raises(UnidentifiedImageError):
+            Image.open("Tests/images/zero_height.j2k")

docs/releasenotes/9.1.1.rst

@@ -0,0 +1,16 @@
+9.1.1
+-----
+
+Security
+========
+
+This release addresses several security problems.
+
+:cve:`CVE-2022-30595`: When reading a TGA file with RLE packets that cross scan lines,
+Pillow reads the information past the end of the first line without deducting that
+from the length of the remaining file data. This vulnerability was introduced in Pillow
+9.1.0, and can cause a heap buffer overflow.
+
+Opening an image with a zero or negative height has been found to bypass a
+decompression bomb check. This will now raise a :py:exc:`SyntaxError` instead, in turn
+raising a ``PIL.UnidentifiedImageError``.

docs/releasenotes/index.rst

@@ -14,6 +14,7 @@ expected to be backported to earlier versions.
 .. toctree::
   :maxdepth: 2
 
+  9.1.1
   9.1.0
   9.0.1
   9.0.0

src/PIL/ImageFile.py

@@ -123,7 +123,7 @@ class ImageFile(Image.Image):
             ) as v:
                 raise SyntaxError(v) from v
 
-            if not self.mode or self.size[0] <= 0:
+            if not self.mode or self.size[0] <= 0 or self.size[1] <= 0:
                 raise SyntaxError("not identified by this driver")
         except BaseException:
             # close the file only if we have opened it this constructor

src/PIL/_version.py

@@ -1,2 +1,2 @@
 # Master version for Pillow
-__version__ = "9.1.0"
+__version__ = "9.1.1"

src/libImaging/TgaRleDecode.c

@@ -120,6 +120,7 @@ ImagingTgaRleDecode(Imaging im, ImagingCodecState state, UINT8 *buf, Py_ssize_t
             }
             memcpy(state->buffer + state->x, ptr, n);
             ptr += n;
+            bytes -= n;
             extra_bytes -= n;
         }
     }