Summary
Memory corruption can be achieved by parsing a SR2 file containing a Image File Directory (IFD) with more than 64 TIFFs of specific types.
Severity
Moderate - The values written out of bounds are unsigned short read from the input and written as float. The libraw_data_t struct - in which the overflow manifests - cannot be overrun to target adjacent objects, because the maximum number of entries is 1000 and the remaining size of the struct is greater. However, an attacker could exploit the vulnerability to target adjacent struct fields and achieve second-order memory corruption.
Proof of Concept
- Compile LibRaw following the instructions on https://github.com/LibRaw/LibRaw/blob/158e635e5e80a95dfa402b0a79a7167922c1d4ec/INSTALL
- Run the
bin/simple_dcraw sample binary: bin/simple_dcraw poc.sr2.bin
Further Analysis
LibRaw supports SR2 files, a proprietary binary format developed by Sony to encode RAW pictures. The SR2 container directory is identified by TIFF tag 0xc634 and contains the details for the encrypted TIFF entries, such as the length and the key necessary to decrypt the nested content.
The entrypoint is LibRaw::open_buffer, which internally calls LibRaw::identify. There are two paths to reach LibRaw::parseSonySR2, both of these are via LibRaw::parse_tiff_ifd, called in the “identify” stage. Taking one as example, the nested directory is decrypted on https://github.com/LibRaw/LibRaw/blob/158e635e5e80a95dfa402b0a79a7167922c1d4ec/src/metadata/tiff.cpp#L1669 and the underlying TIFF entries are handled by LibRaw::sonyParseSR2, called immediately after.
The first two bytes represent the number of entries and the remaining bytes represent the nested TIFF entries themselves. The issue can be triggered via two different sets of TIFF tags, handled on https://github.com/LibRaw/LibRaw/blob/158e635e5e80a95dfa402b0a79a7167922c1d4ec/src/metadata/sony.cpp#L2209 or on https://github.com/LibRaw/LibRaw/blob/158e635e5e80a95dfa402b0a79a7167922c1d4ec/src/metadata/sony.cpp#L2222. The first out of bounds value is limited to the Sony_SR2_wb_list1 entries higher than 255, while the 4 values after come from the input. It is possible to write out of icWBCCTC (alias of imgdata.color.WBCT_Coeffs) bounds, as it can only store up to 64 entries (https://github.com/LibRaw/LibRaw/blob/158e635e5e80a95dfa402b0a79a7167922c1d4ec/libraw/libraw_types.h#L796), while LibRaw allows up to 1000 (https://github.com/LibRaw/LibRaw/blob/158e635e5e80a95dfa402b0a79a7167922c1d4ec/src/metadata/sony.cpp#L2129).
Timeline
Date reported: 05/24/2024
Date fixed: 05/25/2024
Date disclosed: 07/15/2024
polict Analyst
TheOfficialFloW Finder
Summary
Memory corruption can be achieved by parsing a SR2 file containing a Image File Directory (IFD) with more than 64 TIFFs of specific types.
Severity
Moderate - The values written out of bounds are
unsigned shortread from the input and written asfloat. Thelibraw_data_tstruct - in which the overflow manifests - cannot be overrun to target adjacent objects, because the maximum number of entries is 1000 and the remaining size of the struct is greater. However, an attacker could exploit the vulnerability to target adjacent struct fields and achieve second-order memory corruption.Proof of Concept
bin/simple_dcrawsample binary: bin/simple_dcraw poc.sr2.binFurther Analysis
LibRaw supports SR2 files, a proprietary binary format developed by Sony to encode RAW pictures. The SR2 container directory is identified by TIFF tag
0xc634and contains the details for the encrypted TIFF entries, such as the length and the key necessary to decrypt the nested content.The entrypoint is
LibRaw::open_buffer, which internally callsLibRaw::identify. There are two paths to reachLibRaw::parseSonySR2, both of these are viaLibRaw::parse_tiff_ifd, called in the “identify” stage. Taking one as example, the nested directory is decrypted on https://github.com/LibRaw/LibRaw/blob/158e635e5e80a95dfa402b0a79a7167922c1d4ec/src/metadata/tiff.cpp#L1669 and the underlying TIFF entries are handled byLibRaw::sonyParseSR2, called immediately after.The first two bytes represent the number of entries and the remaining bytes represent the nested TIFF entries themselves. The issue can be triggered via two different sets of TIFF tags, handled on https://github.com/LibRaw/LibRaw/blob/158e635e5e80a95dfa402b0a79a7167922c1d4ec/src/metadata/sony.cpp#L2209 or on https://github.com/LibRaw/LibRaw/blob/158e635e5e80a95dfa402b0a79a7167922c1d4ec/src/metadata/sony.cpp#L2222. The first out of bounds value is limited to the
Sony_SR2_wb_list1entries higher than 255, while the 4 values after come from the input. It is possible to write out oficWBCCTC(alias ofimgdata.color.WBCT_Coeffs) bounds, as it can only store up to 64 entries (https://github.com/LibRaw/LibRaw/blob/158e635e5e80a95dfa402b0a79a7167922c1d4ec/libraw/libraw_types.h#L796), while LibRaw allows up to 1000 (https://github.com/LibRaw/LibRaw/blob/158e635e5e80a95dfa402b0a79a7167922c1d4ec/src/metadata/sony.cpp#L2129).Timeline
Date reported: 05/24/2024
Date fixed: 05/25/2024
Date disclosed: 07/15/2024