libgphoto2 Out-of-Bounds Read Vulnerability in PTP Unpacking Function

A moderate out-of-bounds read vulnerability has been identified in libgphoto2, a library for camera access and control. This issue affects versions of libgphoto2 through 2.5.33. The vulnerability arises in the PTP unpacking function 'ptp_unpack_DPV()', specifically within the 'camlibs/ptp2/ptp-pack.c' file, lines 622 to 629. The problem occurs when the function processes data types PTP_DTC_UINT128 and PTP_DTC_INT128'. The function advances the offset by 16 bytes without first verifying that enough bytes remain in the buffer. Although there is an initial check to ensure the offset is within bounds, it only guarantees at least one byte is available, leaving a potential 15 bytes unvalidated. This oversight can be exploited by a malicious PTP/IP server or USB device that sends a crafted Device Property Value, causing the offset to exceed the buffer limit and bypassing intended safety checks.

Impact

Exploitation of this vulnerability can lead to the disclosure of up to 16 bytes of adjacent heap memory for each crafted property value response. The vulnerability also allows the offset to exceed buffer boundaries, causing an unsigned wraparound that bypasses downstream bounds checks, potentially leading to further memory corruption or exploitation.

Reproduction

To reproduce this vulnerability, a PTP/IP server or malicious USB device must send a Device Property Value with a datatype of PTP_DTC_UINT128 or PTP_DTC_INT128, using a buffer smaller than 16 bytes. The 'ptp_unpack_DPV()' function will then advance the offset beyond the buffer boundary, wrapping the offset value due to unsigned arithmetic. This can be verified by observing the behavior of the CTVAL macro, which will incorrectly assess the bounds, allowing the out-of-bounds read to occur.

Remediation

Users can apply the patch available in commit 433bde9888d70aa726e32744cd751d7dbe94379a, which adds the necessary bounds checks before advancing the offset for UINT128 and INT128 datatypes.