LibRaw Out-of-Bounds Write Vulnerability in JPEG DHT Parser

A heap out-of-bounds write vulnerability has been identified in LibRaw versions prior to 0.22.0. The issue arises in the HuffTable::initval function within the JPEG DHT Parser component, specifically in the file src/decompressors/losslessjpeg.cpp. The vulnerability is triggered by manipulating the bits[] argument, which leads to an out-of-bounds write. This flaw can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the LibRaw library to process a TIFF file that contains a minimal lossless JPEG tile with a malformed DHT segment. The DHT segment should be crafted to include attacker-controlled values that exploit the lack of bounds validation in the HuffTable::initval function. This can be done by setting bits[1] to 3, which will cause three writes into a table that can only hold two entries, effectively writing one entry past the end of the allocated vector. After compiling LibRaw with address and undefined behavior sanitizers enabled, the crafted TIFF file can be processed using the 'simple_dcraw' command-line tool, which is included in the LibRaw distribution.

Remediation

Users are advised to upgrade LibRaw to version 0.22.1, which addresses this vulnerability. The patch can be applied by downloading the latest version from the LibRaw GitHub repository.