Pillow between 2.5.0 and 3.1.1 may overflow a buffer when reading rewriting a specially crafted Jpeg2000 file. This occurs specifically in the function *j2k_encode_entry*, at the line: ``` state->buffer = malloc (tile_width * tile_height * components * prec / 8); ``` If this buffer is smaller than expected, the jpeg2k encoding functions will write outside the allocation and onto the heap, corrupting memory. Reproducer and proposed fix can be found in original bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1321422
Acknowledgements: Name: the Pillow project Upstream: Alyssa Besseling
Created python-pillow tracking bugs for this issue: Affects: fedora-all [bug 1327131]
This is public for some time: https://bugzilla.suse.com/show_bug.cgi?id=973786 https://lwn.net/Articles/683303/
This bug doesn't affect RHEL5, 6 or 7: The vulnerability was introduced to python-pillow in 2.5.0 in the new source file libImaging/Jpeg2KEncode.c and then fixed after 3.1.1 (see Andrej's comment above). RHEL7 presently ships python-pillow 2.0.0 which does not include the affected code. Repros fail as there is no support for .jpc/jpeg2k formatted images. RHEL5 and 6 are using python-imaging, from which python-pillow was later forked. python-imaging never contained the affected code.