LibRaw 0.18.9 CVE-2018-10528 stack-based buffer overflow

Authors:Edward-L            Risk:High

CVE:CVE-2018-10528         0day:buffer overflow

0day -id:0DAY-176124        Date:2018-04-30


An issue was discovered in LibRaw 0.18.9. There is a stack-based buffer overflow in the utf2char function in libraw_cxx.cpp.


The GET_PROPERTY_TABLE in x3f_load_property_list function get a large name_offset and value_offset, the programe will crash in parse_x3f funtion ‘s utf2char(P[i].name, name) and utf2char(P[i].value, value) when it access a unreadable address.

raw-identify poc_54F1F_name
Program received signal SIGSEGV, Segmentation fault.
0x0000000000454f1f in utf2char (buffer=0x7ffffff70d70 "FLENGTH", str=0x3e6e1cc8) at src/libraw_cxx.cpp:6087
(gdb) bt
#0  0x0000000000454f1f in utf2char (buffer=0x7ffffff70d70 "FLENGTH", str=0x3e6e1cc8) at src/libraw_cxx.cpp:6087
#1  LibRaw::parse_x3f (this=this@entry=0x7ffffff74170) at src/libraw_cxx.cpp:6158
#2  0x000000000043bd7e in LibRaw::identify (this=this@entry=0x7ffffff74170) at internal/dcraw_common.cpp:17827
#3  0x0000000000451b34 in LibRaw::open_datastream (this=0x7ffffff74170, stream=0x6decc0) at src/libraw_cxx.cpp:2002
#4  0x000000000045350c in LibRaw::open_file (this=this@entry=0x7ffffff74170, 
    fname=0x7fffffffe4d7 "poc_54F1F_name", max_buf_size=max_buf_size@entry=262144000)
    at src/libraw_cxx.cpp:1041
#5  0x0000000000403aeb in main (ac=<optimized out>, av=<optimized out>) at samples/raw-identify.cpp:136
X3F parser possible buffer overrun

void x3f_clear(void *p) { x3f_delete((x3f_t *)p); }
-static char *utf2char(utf16_t *str, char *buffer)
+void utf2char(utf16_t *str, char *buffer, unsigned bufsz)
+ if(bufsz<1) return;
+ buffer[bufsz-1] = 0;
   char *b = buffer;
-  while (*str != 0x00)
+  while (*str != 0x00 && --bufsz>0)
     char *chr = (char *)str;
     *b++ = *chr;
   *b = 0;
-  return buffer;
 static void *lr_memmem(const void *l, size_t l_len, const void *s, size_t s_len)
@@ -6155,8 +6156,8 @@ void LibRaw::parse_x3f()
       for (i = 0; i < PL->num_properties; i++)
         char name[100], value[100];
-        utf2char(P[i].name, name);
-        utf2char(P[i].value, value);
+        utf2char(P[i].name, name,sizeof(name));
+        utf2char(P[i].value, value,sizeof(value));
         if (!strcmp(name, "ISO"))
           imgdata.other.iso_speed = atoi(value);
         if (!strcmp(name, "CAMMANUF"))

Leave a Reply