out of bound read in libraw_cxx.cpp:6158(parse_x3f)

[Edward-L]

The GET_PROPERTY_TABLE in x3f_load_property_list function get a large name_offset and value_offset, the programe will crash in parse_x3f funtion 's utf2char(P[i].name, name) and utf2char(P[i].value, value) when it access a unreadable address.

raw-identify poc_54F1F_name
Program received signal SIGSEGV, Segmentation fault.
0x0000000000454f1f in utf2char (buffer=0x7ffffff70d70 "FLENGTH", str=0x3e6e1cc8) at src/libraw_cxx.cpp:6087
(gdb) bt
#0  0x0000000000454f1f in utf2char (buffer=0x7ffffff70d70 "FLENGTH", str=0x3e6e1cc8) at src/libraw_cxx.cpp:6087
#1  LibRaw::parse_x3f (this=this@entry=0x7ffffff74170) at src/libraw_cxx.cpp:6158
#2  0x000000000043bd7e in LibRaw::identify (this=this@entry=0x7ffffff74170) at internal/dcraw_common.cpp:17827
#3  0x0000000000451b34 in LibRaw::open_datastream (this=0x7ffffff74170, stream=0x6decc0) at src/libraw_cxx.cpp:2002
#4  0x000000000045350c in LibRaw::open_file (this=this@entry=0x7ffffff74170, 
    fname=0x7fffffffe4d7 "poc_54F1F_name", max_buf_size=max_buf_size@entry=262144000)
    at src/libraw_cxx.cpp:1041
#5  0x0000000000403aeb in main (ac=<optimized out>, av=<optimized out>) at samples/raw-identify.cpp:136

Please assign a CVE-ID, thank you!

[LibRaw]

Do you have some sample file that causes the crash?

Also, I have not working with CVE-ID assignment mechanics, so no way I'll do it now. Do it yourself if you need CVE#

[Edward-L]

Sorry, because of some security reasons, i can not send crash file to you. But I think this should be easy to analysis.

[LibRaw]

Yes, the stack overrun is very easy to fix: 895529f

I was interested to see properties list parser too and it is much easier to do with specially crafted file on hands (normal files are parsed normally).

[LibRaw]

Followup: my fix fixes possible stack overrun, not out of bound read. I really need sample to fix OOB read too.

[Edward-L]

I checked your patch and the problem still exists. My team has sent the POC to your email(info@libraw.org). Please check it out.

[LibRaw]

It is definitely not received for the moment I writing this (spam boxes and mail logs are checked too).

Could you disclose From: email (e.g. partially only left side or only right side) for in-depth check? I've checked the logs for last 3 hours only

[LibRaw]

received, thanks

[LibRaw]

Out of bound property table read/broken property table has fixed in
master: f0c505a
0.19-stable: 6b08eae

please confirm the fix

[Edward-L]

ok,i'm in hoilday now, i will check it 3 days later.

[carnil]

Two CVEs were assigned, they are CVE-2018-10529 and CVE-2018-10528

[LibRaw]

Thanks a lot. I'm not a CVE-ID-assignment master.

To be reflected in Changelog on 0.18.10 release (waiting for @Edward-L confirmation)

[kirotawa]

Could you attach the POC for tests in old versions that will be patched?

Thanks!

[LibRaw]

See above: @Edward-L does not want to disclose that for some security reasons: #144 (comment)

[Edward-L]

I think you have fixed it. I have not found any problems until now. Thanks.

[LibRaw]

OK, 0.18 updated too: f2fe201

Tarballs on main site also updated: https://www.libraw.org/download

@carnil, what should I do with CVEs?