raw-tools/sony_arw/dcraw.c Buffer Overflow

[ksyang]

Hi.

We discovered that the LibRaw/LibRaw@fd63302 vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5808), discovered in LibRaw, affects the latest version of dcraw_hack.

System Configuration

FLIF Version: Master branch (commit 0074d6f)
Test environment : Ubuntu 22.04.2 LTS 64bit

Description

FLIF/raw-tools/sony_arw/dcraw.c

Lines 8109 to 8132 in 0074d6f

	float CLASS find_green (int bps, int bite, int off0, int off1)
	{
	UINT64 bitbuf=0;
	int vbits, col, i, c;
	ushort img[2][2064];
	double sum[]={0,0};
	FORC(2) {
	fseek (ifp, c ? off1:off0, SEEK_SET);
	for (vbits=col=0; col < width; col++) {
	for (vbits -= bps; vbits < 0; vbits += bite) {
	bitbuf <<= bite;
	for (i=0; i < bite; i+=8)
	bitbuf |= (unsigned) (fgetc(ifp) << i);
	}
	img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps);
	}
	}
	FORC(width-1) {
	sum[ c & 1] += ABS(img[0][c]-img[1][c+1]);
	sum[~c & 1] += ABS(img[1][c]-img[0][c+1]);
	}
	return 100 * log(sum[0]/sum[1]);
	}

In the above code, if the value of the col variable exceeds 2064, a stack buffer overflow occurs. The col value is determined by the value of width, but since there is no limit to the value of width, a stack buffer overflow vulnerability occurs.

$ ./FLIF/raw-tools/sony_arw/dcraw_hack ./files/test.raw
Segmentation fault (core dumped)

The vulnerability can be fixed by patching as follows.

 - double sum[]={0,0};
 + double sum[] = {0, 0};
 + if(width > 2064) return 0.f; // too wide

Due to issue upload file size limitations, the PoC is shared through Google Drive below.

PoC file : https://drive.google.com/file/d/1s5N0Ao2lAWO73bzVFmP6EMJ5LZ6Efo_Y/view?usp=drive_link

Credit : Seunghoon Woo & Kyeongseok Yang, CCS Lab