Bug 1321929 (CVE-2016-3076) - CVE-2016-3076 python-pillow: buffer overflow in Jpeg2kEncode.c
Summary: CVE-2016-3076 python-pillow: buffer overflow in Jpeg2kEncode.c
Alias: CVE-2016-3076
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1327131
Blocks: 1321931
TreeView+ depends on / blocked
Reported: 2016-03-29 11:53 UTC by Andrej Nemec
Modified: 2021-02-17 04:07 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-05-11 05:28:49 UTC

Attachments (Terms of Use)

Description Andrej Nemec 2016-03-29 11:53:58 UTC
Pillow between 2.5.0 and 3.1.1 may overflow a buffer when reading
rewriting a specially crafted Jpeg2000 file.

This occurs specifically in the function *j2k_encode_entry*, at the line:
    state->buffer = malloc (tile_width * tile_height * components * prec / 8);

If this buffer is smaller than expected, the jpeg2k encoding functions
will write outside the allocation and onto the heap, corrupting

Reproducer and proposed fix can be found in original bug report:


Comment 1 Andrej Nemec 2016-03-29 11:55:11 UTC

Name: the Pillow project
Upstream: Alyssa Besseling

Comment 3 Andrej Nemec 2016-04-14 10:15:53 UTC
Created python-pillow tracking bugs for this issue:

Affects: fedora-all [bug 1327131]

Comment 4 Andrej Nemec 2016-04-14 10:17:32 UTC
This is public for some time:


Comment 5 Doran Moppert 2016-05-11 05:20:24 UTC
This bug doesn't affect RHEL5, 6 or 7:

The vulnerability was introduced to python-pillow in 2.5.0 in the new source file libImaging/Jpeg2KEncode.c and then fixed after 3.1.1  (see Andrej's comment above).

RHEL7 presently ships python-pillow 2.0.0 which does not include the affected code.  Repros fail as there is no support for .jpc/jpeg2k formatted images.

RHEL5 and 6 are using python-imaging, from which python-pillow was later forked.  python-imaging never contained the affected code.

Note You need to log in before you can comment on or make changes to this bug.