<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>3.1.2 — Pillow (PIL Fork) 5.4.1 documentation</title>
<script type="text/javascript" src="../_static/js/modernizr.min.js"></script>
<script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="../_static/language_data.js"></script>
<script type="text/javascript" src="../_static/js/script.js"></script>
<script type="text/javascript" src="../_static/js/theme.js"></script>
<link rel="stylesheet" href="../_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="author" title="About these documents" href="../about.html" />
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="3.1.1" href="3.1.1.html" />
<link rel="prev" title="3.2.0" href="3.2.0.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="../index.html" class="icon icon-home"> Pillow (PIL Fork)
</a>
<div class="version">
5.4.1
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../installation.html">Installation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../handbook/index.html">Handbook</a></li>
<li class="toctree-l1"><a class="reference internal" href="../reference/index.html">Reference</a></li>
<li class="toctree-l1"><a class="reference internal" href="../porting.html">Porting</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">About</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Release Notes</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="5.4.1.html">5.4.1</a></li>
<li class="toctree-l2"><a class="reference internal" href="5.4.0.html">5.4.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="5.3.0.html">5.3.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="5.2.0.html">5.2.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="5.1.0.html">5.1.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="5.0.0.html">5.0.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.3.0.html">4.3.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.2.1.html">4.2.1</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.2.0.html">4.2.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.1.1.html">4.1.1</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.1.0.html">4.1.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="4.0.0.html">4.0.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.4.0.html">3.4.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.3.2.html">3.3.2</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.3.0.html">3.3.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.2.0.html">3.2.0</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">3.1.2</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#cve-2016-3076-buffer-overflow-in-jpeg2kencode-c">CVE-2016-3076 – Buffer overflow in Jpeg2KEncode.c</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="3.1.1.html">3.1.1</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.1.0.html">3.1.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="3.0.0.html">3.0.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="2.8.0.html">2.8.0</a></li>
<li class="toctree-l2"><a class="reference internal" href="2.7.0.html">2.7.0</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../deprecations.html">Deprecations and removals</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">Pillow (PIL Fork)</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html">Docs</a> »</li>
<li><a href="index.html">Release Notes</a> »</li>
<li>3.1.2</li>
<li class="wy-breadcrumbs-aside">
<a href="../_sources/releasenotes/3.1.2.rst.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<div class="section" id="id1">
<h1>3.1.2<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h1>
<div class="section" id="cve-2016-3076-buffer-overflow-in-jpeg2kencode-c">
<h2>CVE-2016-3076 – Buffer overflow in Jpeg2KEncode.c<a class="headerlink" href="#cve-2016-3076-buffer-overflow-in-jpeg2kencode-c" title="Permalink to this headline">¶</a></h2>
<p>Pillow between 2.5.0 and 3.1.1 may overflow a buffer when writing
large Jpeg2000 files, allowing for code execution or other memory
corruption.</p>
<p>This occurs specifically in the function <code class="docutils literal notranslate"><span class="pre">j2k_encode_entry</span></code>, at the line:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">state</span><span class="o">-></span><span class="n">buffer</span> <span class="o">=</span> <span class="n">malloc</span> <span class="p">(</span><span class="n">tile_width</span> <span class="o">*</span> <span class="n">tile_height</span> <span class="o">*</span> <span class="n">components</span> <span class="o">*</span> <span class="n">prec</span> <span class="o">/</span> <span class="mi">8</span><span class="p">);</span>
</pre></div>
</div>
<p>This vulnerability requires a particular value for <code class="docutils literal notranslate"><span class="pre">height</span> <span class="pre">*</span> <span class="pre">width</span></code>
such that <code class="docutils literal notranslate"><span class="pre">height</span> <span class="pre">*</span> <span class="pre">width</span> <span class="pre">*</span> <span class="pre">components</span> <span class="pre">*</span> <span class="pre">precision</span></code> overflows, at
which point the malloc will be for a smaller value than expected. The
buffer that is allocated will be <code class="docutils literal notranslate"><span class="pre">((height</span> <span class="pre">*</span> <span class="pre">width</span> <span class="pre">*</span> <span class="pre">components</span> <span class="pre">*</span>
<span class="pre">precision)</span> <span class="pre">mod</span> <span class="pre">(2^31)</span> <span class="pre">/</span> <span class="pre">8)</span></code>, where components is 1-4 and precision is
either 8 or
16. Common values would be 4 components at precision 8 for a standard
<code class="docutils literal notranslate"><span class="pre">RGBA</span></code> image.</p>
<p>The unpackers then split an image that is laid out:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">RGBARGBARGBA</span><span class="o">....</span>
</pre></div>
</div>
<p>into:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">RRR</span><span class="o">.</span>
<span class="n">GGG</span><span class="o">.</span>
<span class="n">BBB</span><span class="o">.</span>
<span class="n">AAA</span><span class="o">.</span>
</pre></div>
</div>
<p>If this buffer is smaller than expected, the jpeg2k unpacker functions
will write outside the allocation and onto the heap, corrupting
memory.</p>
<p>This issue was found by Alyssa Besseling at Atlassian.</p>
</div>
</div>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="3.1.1.html" class="btn btn-neutral float-right" title="3.1.1" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a>
<a href="3.2.0.html" class="btn btn-neutral float-left" title="3.2.0" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<p>
© Copyright 1995-2011 Fredrik Lundh, 2010-2018 Alex Clark and Contributors
</p>
</div>
Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
