From c62b544084b21091159a3101a070fc4dda6494f9 Mon Sep 17 00:00:00 2001 From: wiredfool Date: Sat, 26 Mar 2016 13:27:17 -0700 Subject: [PATCH] Release Notes --- docs/releasenotes/3.1.2.rst | 43 +++++++++++++++++++++++++++++++++++++ docs/releasenotes/index.rst | 1 + 2 files changed, 44 insertions(+) create mode 100644 docs/releasenotes/3.1.2.rst diff --git a/docs/releasenotes/3.1.2.rst b/docs/releasenotes/3.1.2.rst new file mode 100644 index 000000000..ddb6a2ada --- /dev/null +++ b/docs/releasenotes/3.1.2.rst @@ -0,0 +1,43 @@ + +3.1.2 +===== + +CVE-2016-3076 -- Buffer overflow in Jpeg2KEncode.c +-------------------------------------------------- + +Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing +large Jpeg2000 files, allowing for code execution or other memory +corruption. + +This occurs specifically in the function ``j2k_encode_entry``, at the line:: + + state->buffer = malloc (tile_width * tile_height * components * prec / 8); + + +This vulnerability requires a particular value for ``height * width`` +such that ``height * width * components * precision`` overflows, at +which point the malloc will be for a smaller value than expected. The +buffer that is allocated will be ``((height * width * components * +precision) mod (2^31) / 8)``, where components is 1-4 and precision is +either 8 or +16. Common values would be 4 components at precision 8 for a standard +``RGBA`` image. + +The unpackers then split an image that is laid out:: + + RGBARGBARGBA.... + +into:: + + + RRR. + GGG. + BBB. + AAA. + + +If this buffer is smaller than expected, the jpeg2k unpacker functions +will write outside the allocation and onto the heap, corrupting +memory. + +This issue was found by Alyssa Besseling at Atlassian. diff --git a/docs/releasenotes/index.rst b/docs/releasenotes/index.rst index f5a96adb2..aeb651cab 100644 --- a/docs/releasenotes/index.rst +++ b/docs/releasenotes/index.rst @@ -6,6 +6,7 @@ Release Notes .. toctree:: :maxdepth: 2 + 3.1.2 3.1.1 3.1.0 3.0.0