Pillow Memory Corruption Vulnerability in PSD File Processing Allowing Arbitrary Code Execution

A vulnerability in the Python imaging library Pillow, affecting versions 10.3.0 prior to 12.2.0, allows for memory corruption when processing malicious PSD files. This could lead to crashes or arbitrary code execution. The issue arises from integer overflow in tile extent calculations, which can be exploited to bypass bounds checks and cause out-of-bounds writes. The vulnerability has been patched in Pillow version 12.2.0.

Impact

Exploitation of this vulnerability could result in memory corruption, causing crashes or allowing arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using a PSD file that contains carefully crafted tile dimensions designed to exploit the integer overflow in the extent calculations. When this file is processed with Pillow versions 10.3.0 to prior to 12.2.0, the library will incorrectly handle the tile extents, leading to an out-of-bounds write. This can be automated with a script that uses Pillow to open the malicious PSD file, which will trigger the vulnerability by loading the image data and accessing the corrupted memory.

Remediation

Users should upgrade to Pillow version 12.2.0, where this vulnerability has been fixed.