libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
Created python-pillow tracking bugs for this issue:
Affects: fedora-all [bug 1789541]
Created python3-pillow tracking bugs for this issue:
Affects: epel-7 [bug 1789542]
While Red Hat Quay includes the python-pillow it's not used, therefore this issue is rated moderate for Red Hat Quay.
Function ImagingFliDecode() in FliDecode.c uses a buffer `buf` of `bytes` bytes as input. However, it tries to read 2 bytes from the buffer+4 when it was only checked that the buffer contained at least 4 bytes. If the size of the buffer is 4, for example, the additional 2 bytes would be read from the memory after the allocated buffer. This can result in an out-of-bound read, which could be used to leak some memory data from the program or, at most, make it crash.