Skip to content

out of bound read in libraw_cxx.cpp:6158(parse_x3f) #144

Closed
@Edward-L

Description

@Edward-L

The GET_PROPERTY_TABLE in x3f_load_property_list function get a large name_offset and value_offset, the programe will crash in parse_x3f funtion 's utf2char(P[i].name, name) and utf2char(P[i].value, value) when it access a unreadable address.

raw-identify poc_54F1F_name
Program received signal SIGSEGV, Segmentation fault.
0x0000000000454f1f in utf2char (buffer=0x7ffffff70d70 "FLENGTH", str=0x3e6e1cc8) at src/libraw_cxx.cpp:6087
(gdb) bt
#0  0x0000000000454f1f in utf2char (buffer=0x7ffffff70d70 "FLENGTH", str=0x3e6e1cc8) at src/libraw_cxx.cpp:6087
#1  LibRaw::parse_x3f (this=this@entry=0x7ffffff74170) at src/libraw_cxx.cpp:6158
#2  0x000000000043bd7e in LibRaw::identify (this=this@entry=0x7ffffff74170) at internal/dcraw_common.cpp:17827
#3  0x0000000000451b34 in LibRaw::open_datastream (this=0x7ffffff74170, stream=0x6decc0) at src/libraw_cxx.cpp:2002
#4  0x000000000045350c in LibRaw::open_file (this=this@entry=0x7ffffff74170, 
    fname=0x7fffffffe4d7 "poc_54F1F_name", max_buf_size=max_buf_size@entry=262144000)
    at src/libraw_cxx.cpp:1041
#5  0x0000000000403aeb in main (ac=<optimized out>, av=<optimized out>) at samples/raw-identify.cpp:136

Please assign a CVE-ID, thank you!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions