raw-tools/sony_arw/dcraw.c Buffer Overflow

[ksyang]

Hi.

We discovered that the https://github.com/LibRaw/LibRaw/commit/fd6330292501983ac75fe4162275794b18445bd9 vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5808), discovered in LibRaw, affects the latest version of dcraw_hack.

System Configuration

FLIF Version: Master branch (commit 0074d6f) Test environment : Ubuntu 22.04.2 LTS 64bit

Description

https://github.com/FLIF-hub/FLIF/blob/0074d6fd095d27ce81346aa3fbe9bab59105053e/raw-tools/sony_arw/dcraw.c#L8109-L8132

In the above code, if the value of the col variable exceeds 2064, a stack buffer overflow occurs. The col value is determined by the value of width, but since there is no limit to the value of width, a stack buffer overflow vulnerability occurs.

$ ./FLIF/raw-tools/sony_arw/dcraw_hack ./files/test.raw
Segmentation fault (core dumped)

The vulnerability can be fixed by patching as follows.

 - double sum[]={0,0};
 + double sum[] = {0, 0};
 + if(width > 2064) return 0.f; // too wide

Due to issue upload file size limitations, the PoC is shared through Google Drive below.

PoC file : https://drive.google.com/file/d/1s5N0Ao2lAWO73bzVFmP6EMJ5LZ6Efo_Y/view?usp=drive_link

Credit : Seunghoon Woo & Kyeongseok Yang, CCS Lab