3.1.2

CVE-2016-3076 – Buffer overflow in Jpeg2KEncode.c

Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writinglarge Jpeg2000 files, allowing for code execution or other memorycorruption.

This occurs specifically in the function j2k_encode_entry, at the line:

  1. state->buffer = malloc (tile_width * tile_height * components * prec / 8);

This vulnerability requires a particular value for height widthsuch that height width components precision overflows, atwhich point the malloc will be for a smaller value than expected. Thebuffer that is allocated will be ((height width components *
precision) mod (2^31) / 8), where components is 1-4 and precision iseither 8 or16. Common values would be 4 components at precision 8 for a standardRGBA image.

The unpackers then split an image that is laid out:

  1. RGBARGBARGBA....

into:

  1. RRR.
  2. GGG.
  3. BBB.
  4. AAA.

If this buffer is smaller than expected, the jpeg2k unpacker functionswill write outside the allocation and onto the heap, corruptingmemory.

This issue was found by Alyssa Besseling at Atlassian.