Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:python_imaging_project:python_imaging:*:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"last_affected": "1.1.7"
}
],
"vendor_product": "python_imaging_project:python_imaging",
"source": "CPE_RANGE"
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "7.0"
},
{
"last_affected": "7.0"
},
{
"introduced": "8.0"
},
{
"last_affected": "8.0"
}
],
"vendor_product": "debian:debian_linux",
"source": "CPE_STRING"
}
]
}{
"cpe": "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "3.1.0"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}[
{
"source": "https://github.com/python-pillow/pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"243576619890553771933049052307961487112",
"159213527502674527969643437745726801554",
"45146649394448460556352801206302482404",
"53128559915082015387888206077850571244",
"105545442111552753224521131184882741405",
"159213527502674527969643437745726801554",
"45146649394448460556352801206302482404",
"53128559915082015387888206077850571244"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2016-2533-8b4ca020",
"target": {
"file": "libImaging/PcdDecode.c"
}
},
{
"source": "https://github.com/python-pillow/pillow/commit/ae453aa18b66af54e7ff716f4ccb33adca60afd4",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "168762087425834242494109050733475827334",
"length": 1022.0
},
"deprecated": false,
"id": "CVE-2016-2533-98c38d44",
"target": {
"function": "ImagingPcdDecode",
"file": "libImaging/PcdDecode.c"
}
},
{
"source": "https://github.com/python-pillow/pillow/commit/5bdf54b5a76b54fb00bd05f2d733e0a4173eefc9",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"243576619890553771933049052307961487112",
"159213527502674527969643437745726801554",
"45146649394448460556352801206302482404",
"53128559915082015387888206077850571244",
"105545442111552753224521131184882741405",
"159213527502674527969643437745726801554",
"45146649394448460556352801206302482404",
"53128559915082015387888206077850571244"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2016-2533-a27dff82",
"target": {
"file": "libImaging/PcdDecode.c"
}
},
{
"source": "https://github.com/python-pillow/pillow/commit/5bdf54b5a76b54fb00bd05f2d733e0a4173eefc9",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "168762087425834242494109050733475827334",
"length": 1022.0
},
"deprecated": false,
"id": "CVE-2016-2533-f60f3dd6",
"target": {
"function": "ImagingPcdDecode",
"file": "libImaging/PcdDecode.c"
}
}
]
"2026-07-08T12:41:10Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-2533.json"