Headline
CVE-2020-35530: X3F: check huffman tree size · LibRaw/LibRaw@11c4db2
In LibRaw, there is an out-of-bounds write vulnerability within the "new_node()" function (libraw\src\x3f\x3f_utils_patched.cpp) that can be triggered via a crafted X3F file.
@@ -179,6 +179,7 @@ static void new_huffman_tree(x3f_hufftree_t *HTP, int bits)
int leaves = 1 << bits;
HTP->free_node_index = 0;
HTP->total_node_index = HUF_TREE_MAX_NODES(leaves);
HTP->nodes = (x3f_huffnode_t *)calloc(1, HUF_TREE_MAX_NODES(leaves) *
sizeof(x3f_huffnode_t));
}
@@ -708,6 +709,8 @@ static char *display_code(int length, uint32_t code, char *buffer)
static x3f_huffnode_t *new_node(x3f_hufftree_t *tree)
{
if (tree->free_node_index >= tree->total_node_index)
throw LIBRAW_EXCEPTION_IO_CORRUPT;
x3f_huffnode_t *t = &tree->nodes[tree->free_node_index];
t->branch[0] = NULL;