python-pillow/Pillow
1
1
Fork 0
mirror of https://github.com/python-pillow/Pillow.git synced 2024-09-21 11:28:58 +03:00
Code Issues Packages Projects Releases Wiki Activity
f77273db8f
Pillow/docs/releasenotes/3.1.2.rst
pre-commit-ci[bot] 20d451b359 [pre-commit.ci] auto fixes from pre-commit.com hooks 
for more information, see https://pre-commit.ci
2024-03-15 10:01:42 -04:00

53 lines
1.3 KiB
ReStructuredText
Raw Blame History

3.1.2
-----
Security
========
Fix CVE-2016-3076
^^^^^^^^^^^^^^^^^
.. note:: More information about this vulnerability included in database record :cve:`2016-3076`
Buffer overflow in Jpeg2KEncode.c
+++++++++++++++++++++++++++++++++
Pillow between 2.5.0 and 3.1.1 may overflow a buffer
when writing large Jpeg2000 files, allowing for code execution or other
memory corruption.
This occurs specifically in the function ``j2k_encode_entry``, at the line:
.. code-block:: c
state->buffer = malloc (tile_width * tile_height * components * prec / 8);
This vulnerability requires a particular value for ``height * width``
such that ``height * width * components * precision`` overflows, at
which point the malloc will be for a smaller value than expected. The
buffer that is allocated will be ``((height * width * components *
precision) mod (2^31) / 8)``, where components is 1-4 and precision is
either 8 or
16. Common values would be 4 components at precision 8 for a standard
``RGBA`` image.
The unpackers then split an image that is laid out::
RGBARGBARGBA....
into::
RRR.
GGG.
BBB.
AAA.
If this buffer is smaller than expected, the jpeg2k unpacker functions
will write outside the allocation and onto the heap, corrupting
memory.
This issue was found by Alyssa Besseling at Atlassian.
Reference in New Issue View Git Blame Copy Permalink