LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affects decoders/unpackthumb.cpp, postprocessing/memimage.cpp, and utils/thumbutils.cpp. For example, malloc(sizeof(librawprocessedimaget)+T.tlength) occurs without validating T.tlength.
{ "vanir_signatures": [ { "digest": { "line_hashes": [ "95504925387959412511911477587878745185", "211498614830520016092898085902592191304", "258909625175771742828218197375693978553" ], "threshold": 0.9 }, "target": { "file": "src/utils/thumb_utils.cpp" }, "signature_version": "v1", "signature_type": "Line", "id": "CVE-2020-15503-4de4e8ed", "source": "https://github.com/libraw/libraw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d", "deprecated": false }, { "digest": { "length": 5265.0, "function_hash": "20834980326322708084884246758929434607" }, "target": { "function": "LibRaw::kodak_thumb_loader", "file": "src/utils/thumb_utils.cpp" }, "signature_version": "v1", "signature_type": "Function", "id": "CVE-2020-15503-b47b1d85", "source": "https://github.com/libraw/libraw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d", "deprecated": false }, { "digest": { "length": 1869.0, "function_hash": "60925816791984355313585374140980915893" }, "target": { "function": "LibRaw::dcraw_make_mem_thumb", "file": "src/postprocessing/mem_image.cpp" }, "signature_version": "v1", "signature_type": "Function", "id": "CVE-2020-15503-bab2ecca", "source": "https://github.com/libraw/libraw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d", "deprecated": false }, { "digest": { "line_hashes": [ "59779410903218153793678754994680767601", "132752582361061888394256996303006118673", "185045691167740575729910415964833655416", "161049959832819816644170497010757592682", "260007268614515162766175710996963767171", "255532408959626893688328621463383668856", "293793618887016688055475224622010045250", "237163547497289955783163831819047220253", "53946906021982039869438027886283012302", "159623424722262447118890624610300865183", "24074827839660080180766803516914248259", "193770801203564601580014460272938621217", "279776459699944493687719371011149108112", "106535962320044590641199677616499872207", "283450966731452391535050062147183429866", "94649701061232974678424622551508588263", "211509070784551980709998278180183119961", "283511725562753475212592465244817300621", "80668828536364397405743644776123983152", "237567926824714123645467842340474684318", "285312419739008761685997607143246357862", "258224793432605195806530931128263774249", "65443162971290850839897068754309996559", "148315636905740143535486119577249766951", "181202847632146431652953263163741802944", "106211129585307599656075310087927609507", "195072596634072040877784318058145114722", "306099842656121619297437396043320744575", "239128415640668498542060449212822440966", "25636571237006944437910063657224247718", "78239118379284603983132881493921935450", "47533961952800260579564617492129636545" ], "threshold": 0.9 }, "target": { "file": "src/decoders/unpack_thumb.cpp" }, "signature_version": "v1", "signature_type": "Line", "id": "CVE-2020-15503-bd149f8b", "source": "https://github.com/libraw/libraw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d", "deprecated": false }, { "digest": { "length": 7684.0, "function_hash": "51726212998995411333273680451998935224" }, "target": { "function": "LibRaw::unpack_thumb", "file": "src/decoders/unpack_thumb.cpp" }, "signature_version": "v1", "signature_type": "Function", "id": "CVE-2020-15503-ccd49802", "source": "https://github.com/libraw/libraw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d", "deprecated": false }, { "digest": { "line_hashes": [ "187981261985522913612295356341902997356", "316324685096684762484593438217362973867", "42418153475302119724450462163414037082" ], "threshold": 0.9 }, "target": { "file": "src/postprocessing/mem_image.cpp" }, "signature_version": "v1", "signature_type": "Line", "id": "CVE-2020-15503-ddbaed06", "source": "https://github.com/libraw/libraw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d", "deprecated": false }, { "digest": { "line_hashes": [ "249569001442104715920048703562899778" ], "threshold": 0.9 }, "target": { "file": "libraw/libraw_const.h" }, "signature_version": "v1", "signature_type": "Line", "id": "CVE-2020-15503-ddf53db8", "source": "https://github.com/libraw/libraw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d", "deprecated": false } ] }