LibRaw Heap-Based Buffer Overflow Vulnerability in Huffman Table Initialization

A heap-based buffer overflow vulnerability has been identified in LibRaw versions corresponding to Commit 0b56545 and Commit d20315b. The issue arises in the HuffTable::initval function, where the 'bits' array, which defines the Huffman table structure, is not properly validated before being used to determine the table size. This oversight allows an attacker to craft a malicious file that exploits the vulnerability, leading to a heap buffer overflow.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by using a crafted file that includes a 'bits' array violating the assumptions of the Huffman table initialization in the LibRaw JPEG decompression routine. This can be done by, for example, setting 'bits[5]' to 100 and 'bits[6]' to 1, while keeping all other 'bits[i]' values at 0. This crafted input will trigger the buffer overflow by causing the application to attempt to write more data to the Huffman table than it has allocated space for.

Remediation

LibRaw has released a patch for this vulnerability. Users should update to the latest version available on the LibRaw GitHub repository.