CVE-2016-3076 – Buffer overflow in Jpeg2KEncode.c¶
Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing large Jpeg2000 files, allowing for code execution or other memory corruption.
This occurs specifically in the function
j2k_encode_entry, at the line:
state->buffer = malloc (tile_width * tile_height * components * prec / 8);
This vulnerability requires a particular value for
height * width
height * width * components * precision overflows, at
which point the malloc will be for a smaller value than expected. The
buffer that is allocated will be
((height * width * components *
precision) mod (2^31) / 8), where components is 1-4 and precision is
either 8 or
16. Common values would be 4 components at precision 8 for a standard
The unpackers then split an image that is laid out:
RRR. GGG. BBB. AAA.
If this buffer is smaller than expected, the jpeg2k unpacker functions will write outside the allocation and onto the heap, corrupting memory.
This issue was found by Alyssa Besseling at Atlassian.